Peter H|gfeldt peter@REDACTED
Wed Jun 5 14:19:17 CEST 2002

Please find below what I wrote less than two months ago about
cryptographic software. I am not a lawyer, but I am of the (perhaps odd) 
opinion that an ordinary citizen can read and understand the laws of his
country. However, if you want to find out what is allowed for your
specific application, you have to go to court (get sued by the

Legislation is still in force and not void. However, the maximal allowable
"free" key sizes have been increased over the years (it seems as if the
US first sets a size to 1024 bits, say, then the EU is a good boy by
setting it to 512 bits, and Sweden, being a very good boy, sets it to

Erlang/OTP relies on the "public domain" exception to the EU legislation
(see below). 

Beware of petty corporate bureaucrats. They may mess things up for you by
making every little detail a big issue. They typically do not even
understand that you are free to export within the EU (one of the
cornerstones of the union).


On Wed, 5 Jun 2002, Klacke wrote:

> On Wed, Jun 05, 2002 at 12:22:26PM +0200, Peter H|gfeldt wrote:
> > 
> > To provide an interface in Erlang to SSLeay and to ask users to aquire
> > the SSLeay package themselves, is a device that we have found to fulfil
> > both the restrictions put on cryptographic software by the legislation
> > of the European Union, and the requirements in the SSLeay license.
> > 
> > So I am sorry, as an Ericsson employee, I dare not help you with this
> > matter, due to the quagmire of legal restrictions. 
> > 
> > /Peter
> Hmmm Peter, I though that the "quagmire" was gone by now. I do remember
> that there was a quagmire regarding the export issues for crypto
> software .. at least a couple of years ago.
> US (and the European Union) did a radical change regarding export
> of crypto several years ago if I recall correctly. At Nortel, we ship
> SSL based products and we have had zero problems with the 
> export of crypto software. (Our product is entirely based on openssl)
> So, to my knowledge, swedish, EU, and US export restrictons are
> just plain gone. (Notable exceptions of Libya, Cuba and some other not so
> very cool countries :-)
> Correct me if I'm wrong.

Export Control and OTP R8B
April 15, 2002


OTP R8 provides cryptography, which is subjected to export control
according to legislation of the European Union (and other countries as
well, notably the United States). 

The export control classification number (ECCN) for OTP is 5D002.

Only the following parts of OTP provides cryptography: the Crypto and
SSL applications.


There is a general authorisation for export from member states of the
EU to other states of the EU. This also holds true, according to
Council Regulation (EC) No 2432/2001, for export to the following
states: Australia, Canada, Czech Republic, Hungary, Japan, New
Zealand, Norway, Poland, Switzerland, and United States of
America. Hence, for export to those states, no further authorisation
is needed.

According to the same regulation, authorisation for export to other
states than those listed above is required for cryptographic software

	a. A "symmetric algorithm" employing a key length in excess of
	   56 bits; or 

	b. An "asymmetric algorithm" where the security of the algorithm is
	   based on any of the following:

	   1. Factorisation of integers in excess of 512 bits (e.g., RSA);

	   2. Computation of discrete logarithms in a multiplicative
	      group of a finite field of size greater than 512 bits
              (e.g., Diffie-Hellman over Z/pZ); or

	   3. Discrete logarithms in a group other than mentioned in
	      b.2. in excess of 112 bits (e.g., Diffie-Hellman over an
	      elliptic curve).

For products containing cryptographic software fulfilling a. or b.
authorisation for export is required. Authorisation is granted by
authorities of the member states of the EU. An export authorisation
issued in one member state is valid in all other member states.


The Crypto application provides a symmetric crypto algorithm (DES)
with a 56 bits key, and is thus not subject to export restrictions.


The SSL application can provide arbitrarily strong cryptography and is
therefore subject to restrictions. The measure to take is either to

	i)	obtain authorisation for export, or to

	ii)	remove the SSL application completely from the OTP

The SSL application of the OTP distribution does not contain the
cryptographic libraries needed (they have to be aquired by the user of
OTP). The SSL application without those libraries, still falls under
the above rules, according to the Swedish National Inspectorate of
Strategic Products, since it makes the capabilities possible

Goods generally available to the public

According the regulation referred to above, there is no export control
for goods

	a. Generally available to the public by being sold, without
	   restriction, from stock at retail selling points by means
	   of any of the following:

	   1. Over-the-counter transactions;
           2. Mail order transactions;
           3. Electronic transactions; or
           4. Telephone call transactions;

	b. The cryptographic functionality cannot easily be changed by
	   the user;

	c. Designed for installation by the user without further
	   substantial support by the supplier; and

	d. When necessary, details of the goods are accessible and
	   will be provided, upon request, to the competent
	   authorities of the Member State in which the exporter is
	   established in order to ascertain compliance with
	   conditions described in paragraphs a. to c. above.

Open Source

There is yet an other way to avoid the requirement of authorisation:
by providing the code as open source (the legislative term is "in the
public domain"). 

More information about the erlang-questions mailing list