[cryptography] Interesting Webcrypto question

Jeffrey Walton noloader at gmail.com
Sun Mar 3 16:12:45 EST 2013

On Sun, Mar 3, 2013 at 3:18 PM, Arshad Noor <arshad.noor at strongauth.com> wrote:
> On 03/03/2013 11:34 AM, Paul Hoffman wrote:
>>> You've now exported crypto to a restricted country.  What happens next?
>> You ask a lawyer or a legislator, not a bunch of amateurs in the subject?
> +1
> As someone who personally reviewed hundreds of pages of EAR rules,
> applied for and received License Exceptions for the export
Have you spoken to Anita? She is very helpful :)

> key-management and PKI appliances, I would conjecture that crypto
> in JavaScript would violate US export laws.
Key management may or may not be covered by export controls. It
depends on whether you are using encryption.

You can perform key agreement (Diffie-Hellman) and not require an
export license. But if you key a block cipher with the shared secret,
you will need a license.

If you are doing key transport (RSA), then you would need a license.
EAP-PSK, with its underlying block cipher, also requires a license.

Authentication does not require a license.

> Companies/Individuals
> that create crypto are restricted from shipping/selling it to
> people even in the USA if they appear on the Denied Persons List:
> http://www.bis.doc.gov/dpl/default.shtm
I believe you can ship to banned countries/individuals, but you need a
license that is administered by both Department of Commerce and State
Department. Cookie cutter licenses to get approved for the App Store
usually don't fall under joint jurisdiction.


More information about the cryptography mailing list