[libsrtp] Question about libsrtp's ECCN information.

Paul E. Jones paulej at packetizer.com
Thu Oct 15 03:37:17 EDT 2020 

Kosakada,

If libsrtp were exported as a binary software package, I think it would 
be classified as ECCN 5D002.  However, libsrtp is only published in 
textual form and it's not clear to me that the same requirement exists 
for uncompiled source code.  If it does, the only requirement is that 
BIS and NSA must be notified of the existence of the software as 
explained here: https://www.law.cornell.edu/cfr/text/15/742.15#b.

That said, regardless of how libsrtp might be treated with respect to 
export, it would not convey any export license or classification in your 
own product.

It's also worth noting that, depending on how libsrtp is compiled, it 
may or may not contain encryption at all.  If using OpenSSL, then 
OpenSSL provides all of the cryptographic functionality and libsrtp is 
merely an API that utilizes external cryptograpy.

All of this EAR nonsense is really confusing, open source developers 
ignore it, etc., and that's why the US government (BIS, in particular) 
has generous exemptions for publicly available source code.  I had a 
talk with the folks there back in 2007 and they told me they knew and 
understood there is absolutely no way they can really control the 
encryption software all over the Internet.  So they don't really even 
try.  As an example, if one has publicly available cryptography 
software, there is still a requirement to NOT export to E:1 countries 
(e.g., North Korea, Syria, and Cuba).  I asked the folks at BIS how they 
expect that requirement to be met and they acknowledged they understood 
it cannot in practice.  GitHub is littered with cryptography software 
and I suspect there is absolutely no effort made to block access from 
any E:1 country.

That said, they will take commercial products more seriously.  That 
said, even commercial products cannot block people from downloading over 
the Internet.  One could try using geo-location services to block 
requests from an E:1 country, for example, but a VPN gets around that 
easily.  All of these old laws are truly dated and simply do not work in 
the age of the Internet.

Paul

------ Original Message ------
From: hikaru-kosakada at sharp.co.jp
To: pabuhler at cisco.com; libsrtp at lists.packetizer.com
Sent: 10/15/2020 2:43:27 AM
Subject: Re: [libsrtp] Question about libsrtp's ECCN information.

>Pascal-san
>
>
>
>
>
>Thank you for your information.
>
>
>
> > libSRTP is an open source, source code only distribution
>
>
>
>According to the Cisco web page I found, products containing more than 
>56 bits of encryption may be exported or re-exported under License 
>Exception ENC (15 CFR Part 740.17(b)(2) of EAR) .
>
>Does libSRTP apply to this?
>
>
>
>-> Cisco web-page: 
>https://www.cisco.com/c/en/us/about/legal/global-export-trade/general-export-compliance.html
>
>
>
>
>
>Or, since libSRTP is an open source and publicly available, isn't it 
>subject to the EAR?
>
>
>
>
>
>Thanks.
>
>Kosakada
>
>From: Pascal Buhler (pabuhler) [mailto:pabuhler at cisco.com]
>Sent: Thursday, October 8, 2020 10:48 PM
>To:小坂田光/技師 <hikaru-kosakada at sharp.co.jp>; libsrtp at lists.packetizer.com
>Cc: Pascal Buhler (pabuhler) <pabuhler at cisco.com>
>Subject: RE: Question about libsrtp's ECCN information.
>
>
>
>libSRTP  is an open source,  source code only distribution and 
>maintainers of the project do not directly get involved in export 
>licenses or other regulatory issues.
>
>
>
>pascal
>
>
>
>
>
>
>
>From: libsrtp <libsrtp-bounces at lists.packetizer.com> On Behalf Of 
>hikaru-kosakada at sharp.co.jp
>Sent: Wednesday, 7 October 2020 10:04 AM
>To:libsrtp at lists.packetizer.com
>Subject: [libsrtp] Question about libsrtp's ECCN information.
>
>
>
>Dear support,
>
>
>
>
>
>I'm Hikaru Kosakada from SHARP corporation.
>
>
>
>We are currently developing an app using this libsrtp library, and 
>getting ready to export our app.
>
>
>
>Could you tell me the ECCN information of libsrtp?
>
>(US ECCN number, Encryption Status, CCATS etc ...)
>
>
>
>
>
>Thank you.
>
>Kosakada
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.packetizer.com/pipermail/libsrtp/attachments/20201015/cc4676d1/attachment.htm>

More information about the libsrtp mailing list