26 February 1997
Source: http://www.bxa.doc.gov/08-.pdf (138K)

Public Comments on Encryption Items Transferred from
the U.S. Munitions List to the Commerce Control List

8. ISTAC

ISTAC
[No address]

February 10, 1997

Ms. Nancy Crowe, Regulatory Division
Office of Exporter Services
Bureau of Export Administration
Department of Commerce, Room 2705
14th Street and Pennsylvania Avenue NW
Washington, DC 20230

SUBJECT: Encryption Items Transferred From the U.S. Munitions list to the Commerce Control List, Interim rule effective December 30, 1996.

Dear Ms. Crowe,

The Information Systems Technical Advisory Committe (ISTAC) welcomes the opportunity to comment on the contents of "Encryption Items Transferred From....," Federal Register, Vol. 61, No. 251, December 30, 1996, pp. 68572 -68587. ISTAC applauds the publication of the regulations, together with the definitions of key concepts and terminology used therein. Encryption technology, as a critical element of both U.S. national security and commercial competitiveness, has engendered a prolonged and vigorous national debate. Recognizing the importance of the published regulations, the ISTAC wishes to ensure that the U.S. Information Systems industry is able to comply with the Regulations, completely and unambiguously. To attain this goal, the ISTAC respectfully seeks clarification on certain items of the Regulations as listed below. The ISTAC feels that the incorporation of these clarifications in the body of the Regulations will substantially reduce the potential for "subjective" interpretation of the Regulations, and as such will minimize the possibility of disagreements between the U.S. Information Systems industry and the people responsible for the Regulations.

ITEM 1:  Supplement No. 4 to Part 742 (page 68582) (sub item 7), requires that "The product shall be resistant to efforts to disable...." The criteria for being "resistant" have not been specified in the Regulation. The subjective use of the term "resistant" may admit the possibility of reduced competitiveness among the U.S. exporters for reasons of ambiguity. The ISTAC requests that the term "resistant" be better quantified so as to admit the use of a structured process to obtain "yes/no" answers to the question of the type " Is product X resistant"?

ITEM 2: Supplement No. 4 to Part 742 (page 68582) (sub item 8). Compliance to sub item 8 is predicated on the existence of an appropriate, well defined, Key Management Infrastructure. The Regulations recognize in the text that no such Key Management Infrastructure exists today. The ISTAC would like to emphasize the urgent need for better definitions and the issuing of a set of guidelines specifying the minimum requirements for such an infrastructure as soon as possible.

ITEM 3: In Part 744, (pages 68584-68585) (sub item 9 b), the term "U.S. Person" for the purpose of "Restriction on technical assistance....," includes in sub item 9.b.3 the clause, "Any person in the United States." The ISTAC would like a clarification on whether this regulation requires a license as a prerequisite for a foreign national in the US., say form Russia, to be able to provide technical assistance on encryption to another foreign national in the US., say also from Russia (or any other country). Why does the definition of "U.S. Person" appear as part of the Encryption Regulations instead of being defined the same as in the rest of the Export Control Regulations?

ITEM 4: Supplements No. 4 and 5 (page 68582). This section of the Regulations appears confusing and maybe even contradictory. The ISTAC believes that it would help to combine these sections into one.

ITEM 5: Supplement No. 5 (page 68582). The phrase "key recovery agent" appears to be used to define several different entities. The requirements placed on individuals must be clearly distinguished from those requirements placed on corporate organizations.

ITEM 6: The issue of software updates to licensed encryption products needs to be addressed. There is a need for a procedure that allows product updates, without BXA involvement, when the update does not affect the encryption function.

If any additional clarification is needed on any of these comments, please don't hesitate to call.

Norman D. Cowder

ISTAC CO-CHAIR

cc James Lewis

Hypertext by DN and JYA/Urban Deadline