- From: Joseph Arceneaux <jla@samsara.com>
- Date: Tue, 2 Jan 96 12:30 PST
- To: NED@innosoft.com
- Cc: strombrg@hydra.acs.UCI.EDU, ams@terisa.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-security@ns2.rutgers.edu
Date: Sun, 31 Dec 1995 20:56:47 -0800 (PST) From: Ned Freed <NED@innosoft.com> Cc: ams@terisa.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-security@ns2.rutgers.edu The bottom line is that if you intend to export anything that uses cryptographic methods, you'd best hire a lawyer familiar with export law and get approval for it. You'll probably have no problem with authentication. Ned The ITAR has a specific exception for authentication in financial applications, but this applies only to authentication for access control, and does not extend to, say, the transaction itself. >From ITAR 121.1 XIII(b)(1): (ii) Specially designed, developed or modified for use in machines for banking or money transactions, and restricted to use only in such transactions. Machines for banking or money transactions include automatic teller machines, self-service statement printers, point of sale terminals or equipment for the encryption of interbanking transactions. (iv) Personalized smart cards using cryptography restricted for use only in equipment or systems exempted from the controls of the USML [I'm not sure what this would be used for, but possibly some banking applications would fall under it] (v) Limited to access control, such as automatic teller machines, self-service statement printers or point of sale terminals, which protects password or personal identification numbers (PIN) or similar data to prevent unauthorized access to facilities but does not allow for encyprtion of files or text, except as directly related to the password of [sic] PIN protection. Joe ---- Joseph Arceneaux Samsara Partners http://www.samsara.com jla@samsara.com +1 415 648 9988 (direct) +1 415 341 1395 (fax) +1 500 488 9308
Received on Tuesday, 2 January 1996 12:35:02 UTC