[libsrtp] Question about libsrtp's ECCN information.
Paul E. Jones
paulej at packetizer.com
Thu Oct 15 03:37:17 EDT 2020
Kosakada,
If libsrtp were exported as a binary software package, I think it would
be classified as ECCN 5D002. However, libsrtp is only published in
textual form and it's not clear to me that the same requirement exists
for uncompiled source code. If it does, the only requirement is that
BIS and NSA must be notified of the existence of the software as
explained here: https://www.law.cornell.edu/cfr/text/15/742.15#b.
That said, regardless of how libsrtp might be treated with respect to
export, it would not convey any export license or classification in your
own product.
It's also worth noting that, depending on how libsrtp is compiled, it
may or may not contain encryption at all. If using OpenSSL, then
OpenSSL provides all of the cryptographic functionality and libsrtp is
merely an API that utilizes external cryptograpy.
All of this EAR nonsense is really confusing, open source developers
ignore it, etc., and that's why the US government (BIS, in particular)
has generous exemptions for publicly available source code. I had a
talk with the folks there back in 2007 and they told me they knew and
understood there is absolutely no way they can really control the
encryption software all over the Internet. So they don't really even
try. As an example, if one has publicly available cryptography
software, there is still a requirement to NOT export to E:1 countries
(e.g., North Korea, Syria, and Cuba). I asked the folks at BIS how they
expect that requirement to be met and they acknowledged they understood
it cannot in practice. GitHub is littered with cryptography software
and I suspect there is absolutely no effort made to block access from
any E:1 country.
That said, they will take commercial products more seriously. That
said, even commercial products cannot block people from downloading over
the Internet. One could try using geo-location services to block
requests from an E:1 country, for example, but a VPN gets around that
easily. All of these old laws are truly dated and simply do not work in
the age of the Internet.
Paul
------ Original Message ------
From: hikaru-kosakada at sharp.co.jp
To: pabuhler at cisco.com; libsrtp at lists.packetizer.com
Sent: 10/15/2020 2:43:27 AM
Subject: Re: [libsrtp] Question about libsrtp's ECCN information.
>Pascal-san
>
>
>
>
>
>Thank you for your information.
>
>
>
> > libSRTP is an open source, source code only distribution
>
>
>
>According to the Cisco web page I found, products containing more than
>56 bits of encryption may be exported or re-exported under License
>Exception ENC (15 CFR Part 740.17(b)(2) of EAR) .
>
>Does libSRTP apply to this?
>
>
>
>-> Cisco web-page:
>https://www.cisco.com/c/en/us/about/legal/global-export-trade/general-export-compliance.html
>
>
>
>
>
>Or, since libSRTP is an open source and publicly available, isn't it
>subject to the EAR?
>
>
>
>
>
>Thanks.
>
>Kosakada
>
>From: Pascal Buhler (pabuhler) [mailto:pabuhler at cisco.com]
>Sent: Thursday, October 8, 2020 10:48 PM
>To:小坂田光/技師 <hikaru-kosakada at sharp.co.jp>; libsrtp at lists.packetizer.com
>Cc: Pascal Buhler (pabuhler) <pabuhler at cisco.com>
>Subject: RE: Question about libsrtp's ECCN information.
>
>
>
>libSRTP is an open source, source code only distribution and
>maintainers of the project do not directly get involved in export
>licenses or other regulatory issues.
>
>
>
>pascal
>
>
>
>
>
>
>
>From: libsrtp <libsrtp-bounces at lists.packetizer.com> On Behalf Of
>hikaru-kosakada at sharp.co.jp
>Sent: Wednesday, 7 October 2020 10:04 AM
>To:libsrtp at lists.packetizer.com
>Subject: [libsrtp] Question about libsrtp's ECCN information.
>
>
>
>Dear support,
>
>
>
>
>
>I'm Hikaru Kosakada from SHARP corporation.
>
>
>
>We are currently developing an app using this libsrtp library, and
>getting ready to export our app.
>
>
>
>Could you tell me the ECCN information of libsrtp?
>
>(US ECCN number, Encryption Status, CCATS etc ...)
>
>
>
>
>
>Thank you.
>
>Kosakada
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.packetizer.com/pipermail/libsrtp/attachments/20201015/cc4676d1/attachment.htm>
More information about the libsrtp
mailing list