Export Restrictions Current 2008 - SSH

This is a discussion on Export Restrictions Current 2008 - SSH ; Howdy, I'm looking for up to date info on US SSH export restrictions. As I understand it, the RSA issue, which was patent-related, went away in 2000-2001, and the "SSH is a munition" issue, which was national security silliness, largely ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Export Restrictions Current 2008

  1. Export Restrictions Current 2008

    Howdy,

    I'm looking for up to date info on US SSH export restrictions. As I
    understand it, the RSA issue, which was patent-related, went away in
    2000-2001, and the "SSH is a munition" issue, which was national
    security silliness, largely went away in 2006, except to the extent
    that one still cannot "export" SSH to a "terrorist state" like Cuba, N
    Korea, Iran, etc.

    Core reason for me asking is Juniper JunOS still does not include SSH
    in the International version due to "government export restrictions".
    I'm sure shipping the Domestic version of JunOS, which includes SSHD,
    is against the terms of the license, so I won't go into that. After
    all, Solaris 10 has had SSHD for some time now.

    Can I legally ship a system with SSHD outside the US, except to a
    rogue state?

    If I can, do I have to present some kind of certification that I'm
    exporting the software only to nice people?

    TIA,
    -wsanders


  2. Re: Export Restrictions Current 2008

    On 2008-06-13, w sanders wrote:

    > Core reason for me asking is Juniper JunOS still does not include SSH
    > in the International version due to "government export restrictions".
    > I'm sure shipping the Domestic version of JunOS, which includes SSHD,


    For s/w already available as a part of widely-distributed systems
    (and SSH surely qualifies) I believe all you have to do is notify
    the government at their email addresses.

    A bit more detail at:
    http://www.crypto.com/exports/mail.txt

    It's also possible that JunOS contains some other crypto for which
    the export isn't so simple. Or that people are using the issue as
    an excuse for market segmentation or something.

    IANAL

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/

  3. Re: Export Restrictions Current 2008

    On Jun 13, 11:42*pm, w sanders wrote:
    > Howdy,
    >
    > I'm looking for up to date info on US SSH export restrictions. As I
    > understand it, the RSA issue, which was patent-related, went away in
    > 2000-2001, and the "SSH is a munition" issue, which was national
    > security silliness, largely went away in 2006, except to the extent
    > that one still cannot "export" SSH to a "terrorist state" like Cuba, N
    > Korea, Iran, etc.
    >
    > Core reason for me asking is Juniper JunOS still does not include SSH
    > in the International version due to "government export restrictions".
    > I'm sure shipping the Domestic version of JunOS, which includes SSHD,
    > is against the terms of the license, so I won't go into that. After
    > all, Solaris 10 has had SSHD for some time now.
    >
    > Can I legally ship a system with SSHD outside the US, except to a
    > rogue state?
    >
    > If I can, do I have to present some kind of certification that I'm
    > exporting the software only to nice people?
    >
    > TIA,
    > -wsanders


    *TALK TO A LAWYER*. A competent one. The regulations about exporting
    encryption are pretty clearly unconstitutional, and are unclear enough
    that it makes sense to have someone with the relevant background
    review it. A lot of its enforcement seems to be by standard practices
    and selective enforcement, rather than any clear standard.

  4. Re: Export Restrictions Current 2008

    Nico Kadel-Garcia writes:

    >On Jun 13, 11:42=A0pm, w sanders wrote:
    >> Howdy,
    >>
    >> I'm looking for up to date info on US SSH export restrictions. As I
    >> understand it, the RSA issue, which was patent-related, went away in
    >> 2000-2001, and the "SSH is a munition" issue, which was national
    >> security silliness, largely went away in 2006, except to the extent
    >> that one still cannot "export" SSH to a "terrorist state" like Cuba, N
    >> Korea, Iran, etc.
    >>
    >> Core reason for me asking is Juniper JunOS still does not include SSH
    >> in the International version due to "government export restrictions".


    Have they read the regulations?

    >> I'm sure shipping the Domestic version of JunOS, which includes SSHD,
    >> is against the terms of the license, so I won't go into that. After


    It is? why?

    >> all, Solaris 10 has had SSHD for some time now.
    >>
    >> Can I legally ship a system with SSHD outside the US, except to a
    >> rogue state?


    Have you read the regulations?


    >>
    >> If I can, do I have to present some kind of certification that I'm
    >> exporting the software only to nice people?
    >>
    >> TIA,
    >> -wsanders


    >*TALK TO A LAWYER*. A competent one. The regulations about exporting
    >encryption are pretty clearly unconstitutional, and are unclear enough
    >that it makes sense to have someone with the relevant background
    >review it. A lot of its enforcement seems to be by standard practices
    >and selective enforcement, rather than any clear standard.


  5. Re: Export Restrictions Current 2008

    On Jun 18, 12:07*am, Unruh wrote:
    > Nico Kadel-Garcia writes:
    > >On Jun 13, 11:42=A0pm, w sanders wrote:
    > >> Howdy,

    >
    > >> I'm looking for up to date info on US SSH export restrictions. As I
    > >> understand it, the RSA issue, which was patent-related, went away in
    > >> 2000-2001, and the "SSH is a munition" issue, which was national
    > >> security silliness, largely went away in 2006, except to the extent
    > >> that one still cannot "export" SSH to a "terrorist state" like Cuba, N
    > >> Korea, Iran, etc.

    >
    > >> Core reason for me asking is Juniper JunOS still does not include SSH
    > >> in the International version due to "government export restrictions".

    >
    > Have they read the regulations?
    >
    > >> I'm sure shipping the Domestic version of JunOS, which includes SSHD,
    > >> is against the terms of the license, so I won't go into that. After

    >
    > It is? why?
    >
    > >> all, Solaris 10 has had SSHD for some time now.

    >
    > >> Can I legally ship a system with SSHD outside the US, except to a
    > >> rogue state?

    >
    > Have you read the regulations?
    >
    >
    >
    >
    >
    > >> If I can, do I have to present some kind of certification that I'm
    > >> exporting the software only to nice people?

    >
    > >> TIA,
    > >> -wsanders

    > >*TALK TO A LAWYER*. A competent one. The regulations about exporting
    > >encryption are pretty clearly unconstitutional, and are unclear enough
    > >that it makes sense to have someone with the relevant background
    > >review it. A lot of its enforcement seems to be by standard practices
    > >and selective enforcement, rather than any clear standard.- Hide quoted text -

    >
    > - Show quoted text -


    Well there are references like this (http://epic.org/crypto/
    export_controls/regs_1_00.html or http://www.bis.doc.gov/encryption/default.htm).
    One major problem is that there's considerable selective enforcement
    of the statute, and someenforcement that followed the various statutes
    in the past has been found to be unconstitutional. And these are not
    *laws* passed by Congress, they are regulations designed and enforced
    by executive agencies, namely Customs. So a competent lawyer can
    potentially save you quite a bit of pain.

  6. Re: Export Restrictions Current 2008

    Nico Kadel-Garcia writes:

    >On Jun 18, 12:07=A0am, Unruh wrote:
    >> Nico Kadel-Garcia writes:
    >> >On Jun 13, 11:42=3DA0pm, w sanders wrote:
    >> >> Howdy,

    >>
    >> >> I'm looking for up to date info on US SSH export restrictions. As I
    >> >> understand it, the RSA issue, which was patent-related, went away in
    >> >> 2000-2001, and the "SSH is a munition" issue, which was national
    >> >> security silliness, largely went away in 2006, except to the extent
    >> >> that one still cannot "export" SSH to a "terrorist state" like Cuba, N
    >> >> Korea, Iran, etc.

    >>
    >> >> Core reason for me asking is Juniper JunOS still does not include SSH
    >> >> in the International version due to "government export restrictions".

    >>
    >> Have they read the regulations?
    >>
    >> >> I'm sure shipping the Domestic version of JunOS, which includes SSHD,
    >> >> is against the terms of the license, so I won't go into that. After

    >>
    >> It is? why?
    >>
    >> >> all, Solaris 10 has had SSHD for some time now.

    >>
    >> >> Can I legally ship a system with SSHD outside the US, except to a
    >> >> rogue state?

    >>
    >> Have you read the regulations?
    >>
    >>
    >>
    >>
    >>
    >> >> If I can, do I have to present some kind of certification that I'm
    >> >> exporting the software only to nice people?

    >>
    >> >> TIA,
    >> >> -wsanders
    >> >*TALK TO A LAWYER*. A competent one. The regulations about exporting
    >> >encryption are pretty clearly unconstitutional, and are unclear enough
    >> >that it makes sense to have someone with the relevant background
    >> >review it. A lot of its enforcement seems to be by standard practices
    >> >and selective enforcement, rather than any clear standard.- Hide quoted t=

    >ext -
    >>
    >> - Show quoted text -


    >Well there are references like this (http://epic.org/crypto/
    >export_controls/regs_1_00.html or http://www.bis.doc.gov/encryption/default.=
    >htm).
    >One major problem is that there's considerable selective enforcement
    >of the statute, and someenforcement that followed the various statutes
    >in the past has been found to be unconstitutional. And these are not
    >*laws* passed by Congress, they are regulations designed and enforced
    >by executive agencies, namely Customs. So a competent lawyer can
    >potentially save you quite a bit of pain.


    Well, not really. The cases got chucked as moot when the gov't changed the
    regulations in the midst of the Bernstein process. Certainly their original
    rule that Bernstein could not describe his encryption process was ruled
    unconstitional, but that did not make the regulations unconstitutional.
    However, those regs were significantly relaxed especiall for mass market
    software. AS i RECALL something like ssh simply needed to be registered,
    bujt there were not export restrictions. Ie you just had to tell them you
    were exporting it. Anyway, read the regulations.

  7. Re: Export Restrictions Current 2008

    On 20 Jun, 15:12, Unruh wrote:

    > Well, not really. The cases got chucked as moot when the gov't changed the
    > regulations in the midst of the Bernstein process. Certainly their original
    > rule that Bernstein could not describe his encryption process was ruled
    > unconstitional, but that did not make the regulations unconstitutional.
    > However, those regs were significantly relaxed especiall for mass market
    > software. AS i RECALL *something like ssh simply needed to be registered,
    > bujt there were not export restrictions. Ie you just had to tell them you
    > were exporting it. *Anyway, read the regulations.- Hide quoted text -


    Well, they didn't get chucked. They got transferred, from US Customs,
    to US Commerce. This was an end-run around the issues being raised by
    cases like Phil Zimmerman's, and the embarassment of those cases could
    be altered without conceding the unconstitionality of the regulations.
    But because they're regulaitons, not laws, they're vulnerable to
    arbitrary re-assessment and revision as a purely executive decision.
    They're also tremendously vulnerable to selective enforcement, which
    is what I think we're seeing now.

    Reading the regulations is a great idea. But like reading a traffic
    code, it won't necessarily help protect you from endless difficulties
    if you don't also find the common practices of other drivers: that's
    where a competent lawyer can be a great help.


  8. Re: Export Restrictions Current 2008

    Nico Kadel-Garcia writes:

    >On 20 Jun, 15:12, Unruh wrote:


    >> Well, not really. The cases got chucked as moot when the gov't changed the=


    >> regulations in the midst of the Bernstein process. Certainly their origina=

    >l
    >> rule that Bernstein could not describe his encryption process was ruled
    >> unconstitional, but that did not make the regulations unconstitutional.
    >> However, those regs were significantly relaxed especiall for mass market
    >> software. AS i RECALL =A0something like ssh simply needed to be registered=

    >,
    >> bujt there were not export restrictions. Ie you just had to tell them you
    >> were exporting it. =A0Anyway, read the regulations.- Hide quoted text -


    >Well, they didn't get chucked. They got transferred, from US Customs,


    No, the legal case ( Bernstein) got chucked as moot since the regulations
    he contested had been changed.

    >to US Commerce. This was an end-run around the issues being raised by
    >cases like Phil Zimmerman's, and the embarassment of those cases could
    >be altered without conceding the unconstitionality of the regulations.


    Altered? There was never a Zimmermann case. There was a BErnstein case,
    which was declared moot ( but not after the courts declaring that software
    in humaln readable form-- eg C-- was speech which could flallunder
    constrituional protection.

    >But because they're regulaitons, not laws, they're vulnerable to
    >arbitrary re-assessment and revision as a purely executive decision.


    Yes.

    >They're also tremendously vulnerable to selective enforcement, which
    >is what I think we're seeing now.


    What evidence do you have for selective enforcment?
    NOte that ALL laws are vulnerable to selective enforcement. That is why one
    has prosecutor's offices.




    >Reading the regulations is a great idea. But like reading a traffic
    >code, it won't necessarily help protect you from endless difficulties
    >if you don't also find the common practices of other drivers: that's
    >where a competent lawyer can be a great help.



  9. Re: Export Restrictions Current 2008

    On 25 Jun, 10:11, Unruh wrote:
    > Nico Kadel-Garcia writes:
    > >On 20 Jun, 15:12, Unruh wrote:


    > No, the legal case ( Bernstein) got chucked as moot since the regulations
    > he contested had been changed.


    Look again. I meant Zimmerman: he had his own problems with the export
    regulations, for years, due to PGP. It's one of several famous cases
    of the export regulations interfering with open source software
    release and serving no good to prevent foreign military encryption
    technologies.


    > >to US Commerce. This was an end-run around the issues being raised by
    > >cases like Phil Zimmerman's, and the embarassment of those cases could
    > >be altered without conceding the unconstitionality of the regulations.

    >
    > Altered? There was never a Zimmermann case. There was a BErnstein case,
    > which was declared moot ( but not after the courts declaring that software
    > in humaln readable form-- eg C-- was speech which could flallunder
    > constrituional protection.


    I'm sorry if I was confusing: I didn't mean that charges were filed
    against Zimmerman, but he was investigated and harassed for years
    after his publication of PGP and its eventual publication overseas. I
    used to carefully download it from Finland, with checksums tested, to
    allow easy access to the tarballs and provide easy, form-free access
    for others in the US.

    > >But because they're regulaitons, not laws, they're vulnerable to
    > >arbitrary re-assessment and revision as a purely executive decision.

    >
    > Yes.
    >
    > >They're also tremendously vulnerable to selective enforcement, which
    > >is what I think we're seeing now.

    >
    > What evidence do you have for selective enforcment?
    > NOte that ALL laws are vulnerable to selective enforcement. That is why one
    > has prosecutor's offices.


    Let's see, what can I say without violating NDA's? In general, the
    shipping of OEM and business systems overseas from the US has had
    unpredictable harassment for inclusion of OpenSSH, and encrypted
    access monitoring systems. By carefully avoiding any mention, and by
    finding customs agents who can't spell 'SuSE', you can help avoid
    problems in the shipment. But we still have awkwardness getting
    encryption for routers and switches, as of 2 years ago, when I tried
    to update some Cisco's to make the management console SSH protected so
    that it could semi-safely be safely managed from a disaster recovery
    site. It seemed to matter what day of the week and whom I spoke with
    as to whether I would be allowed to send the software.

  10. Re: Export Restrictions Current 2008

    On 2008-06-25, Nico Kadel-Garcia wrote:

    >> Altered? There was never a Zimmermann case. There was a BErnstein case,
    >> which was declared moot ( but not after the courts declaring that software
    >> in humaln readable form-- eg C-- was speech which could flallunder
    >> constrituional protection.


    And a Junger case about what he could teach.


    > encryption for routers and switches, as of 2 years ago, when I tried
    > to update some Cisco's to make the management console SSH protected so
    > that it could semi-safely be safely managed from a disaster recovery
    > site. It seemed to matter what day of the week and whom I spoke with
    > as to whether I would be allowed to send the software.



    I think that's not a matter of law though - that's a matter of brainless
    interference from uniformed thugs.

    I had a little myself
    http://www.chiark.greenend.org.uk/pi...st/041372.html

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/

+ Reply to Thread