Re: Digest Authentication

   Date: Sun, 31 Dec 1995 20:56:47 -0800 (PST)
   From: Ned Freed <>

   The bottom line is that if you intend to export anything that uses
   cryptographic methods, you'd best hire a lawyer familiar with export law and
   get approval for it. You'll probably have no problem with authentication.


The ITAR has a specific exception for authentication in financial
applications, but this applies only to authentication for access
control, and does not extend to, say, the transaction itself.

>From ITAR 121.1  XIII(b)(1):

	  (ii)  Specially designed, developed or modified for use in machines
  for banking or money transactions, and restricted to use only in such
  transactions.  Machines for banking or money transactions include automatic
  teller machines, self-service statement printers, point of sale terminals or
  equipment for the encryption of interbanking transactions.  

	  (iv) Personalized smart cards using cryptography restricted for use
  only in equipment or systems exempted from the controls of the USML [I'm not
  sure what this would be used for, but possibly some banking applications
  would fall under it]

	  (v) Limited to access control, such as automatic teller machines,
  self-service statement printers or point of sale terminals, which protects
  password or personal identification numbers (PIN) or similar data to prevent
  unauthorized access to facilities but does not allow for encyprtion of files
  or text, except as directly related to the password of [sic] PIN protection.


Joseph Arceneaux
Samsara Partners
+1 415 648 9988 (direct)
+1 415 341 1395 (fax)
+1 500 488 9308

Received on Tuesday, 2 January 1996 12:35:02 UTC