Kosakada,

If libsrtp were exported as a binary software package, I think it would be classified as ECCN 5D002.  However, libsrtp is only published in textual form and it's not clear to me that the same requirement exists for uncompiled source code.  If it does, the only requirement is that BIS and NSA must be notified of the existence of the software as explained here: https://www.law.cornell.edu/cfr/text/15/742.15#b.

That said, regardless of how libsrtp might be treated with respect to export, it would not convey any export license or classification in your own product.

It's also worth noting that, depending on how libsrtp is compiled, it may or may not contain encryption at all.  If using OpenSSL, then OpenSSL provides all of the cryptographic functionality and libsrtp is merely an API that utilizes external cryptograpy.

All of this EAR nonsense is really confusing, open source developers ignore it, etc., and that's why the US government (BIS, in particular) has generous exemptions for publicly available source code.  I had a talk with the folks there back in 2007 and they told me they knew and understood there is absolutely no way they can really control the encryption software all over the Internet.  So they don't really even try.  As an example, if one has publicly available cryptography software, there is still a requirement to NOT export to E:1 countries (e.g., North Korea, Syria, and Cuba).  I asked the folks at BIS how they expect that requirement to be met and they acknowledged they understood it cannot in practice.  GitHub is littered with cryptography software and I suspect there is absolutely no effort made to block access from any E:1 country.

That said, they will take commercial products more seriously.  That said, even commercial products cannot block people from downloading over the Internet.  One could try using geo-location services to block requests from an E:1 country, for example, but a VPN gets around that easily.  All of these old laws are truly dated and simply do not work in the age of the Internet.

Paul

------ Original Message ------
From: hikaru-kosakada@sharp.co.jp
To: pabuhler@cisco.com; libsrtp@lists.packetizer.com
Sent: 10/15/2020 2:43:27 AM
Subject: Re: [libsrtp] Question about libsrtp's ECCN information.

Pascal-san

 

 

Thank you for your information.

 

> libSRTP is an open source, source code only distribution

 

According to the Cisco web page I found, products containing more than 56 bits of encryption may be exported or re-exported under License Exception ENC (15 CFR Part 740.17(b)(2) of EAR) .

Does libSRTP apply to this?

 

-> Cisco web-page: https://www.cisco.com/c/en/us/about/legal/global-export-trade/general-export-compliance.html

 

 

Or, since libSRTP is an open source and publicly available, isn't it subject to the EAR?

 

 

Thanks.

Kosakada

From: Pascal Buhler (pabuhler) [mailto:pabuhler@cisco.com]
Sent: Thursday, October 8, 2020 10:48 PM
To: 小坂田光/技師 <hikaru-kosakada@sharp.co.jp>; libsrtp@lists.packetizer.com
Cc: Pascal Buhler (pabuhler) <pabuhler@cisco.com>
Subject: RE: Question about libsrtp's ECCN information.

 

libSRTP  is an open source,  source code only distribution and maintainers of the project do not directly get involved in export licenses or other regulatory issues.

 

pascal

 

 

 

From: libsrtp <libsrtp-bounces@lists.packetizer.com> On Behalf Of hikaru-kosakada@sharp.co.jp
Sent: Wednesday, 7 October 2020 10:04 AM
To: libsrtp@lists.packetizer.com
Subject: [libsrtp] Question about libsrtp's ECCN information.

 

Dear support,

 

 

I'm Hikaru Kosakada from SHARP corporation.

 

We are currently developing an app using this libsrtp library, and getting ready to export our app.

 

Could you tell me the ECCN information of libsrtp?

(US ECCN number, Encryption Status, CCATS etc ...)

 

 

Thank you.

Kosakada