[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] American export regulations vs JDK/JRE

I'm currently looking into the export/import issues around cryptography in general and SSL in particular. Below I state my present conclusions and raise a few questions. It would be very interesting to hear about IAIK's position in this matter, and also to hear what conclusions other users of IAIK-JCE and iSaSiLk have come to.

As far as I understand it the IAIK-JCE and the iSaSiLk products have been developed outside the US in its entirety without the involvement of any american citizens. Thus american legislation does not need to be considered when using these products as components in your own product. 

However, I've been in contact with some people who are layers or who have equivalent background, and they have informed me that the americans claim that their laws have extra-territorial validity in some situations. This applies to products that have american sub-components constituting a value of more than 25% (10% for the countries on the UN embargo list) of the sales price of the product. For these products american authorities claim that american laws are applicable. This would then imply that if you have a product were the IAIK components are included with some american components, and the american component constitues a value of 25% or more, then american legislation must be taken into account if you want to export your product. This would then mean that only so called export ciphers may be enabled. Note that this is true even if the american components have nothing to do with encryption. Many countries have, not surprisingly, argued that the american stand-point has no !
support in international law. But nevertheless, if you don't follow the american regulations you may face a trade embargo from the american side. The trade embargo is typically enforced on a national level.

If you have no american components, or if they constitute only a small part then the above shouldn't be a problem. But what if you want to bundle JDK/JRE with your product? Does that constitute a problem? My interpretation is that it shouldn't, since JDK/JRE is free.