Peter Gutmann
24 Durness Pl.
Orewa
Auckland
20 January 1997
International Security and Arms Control Division
Ministry of Foreign Affairs and Trade
Private Bag 18 901
Wellington
Dear Sir/Madam,
I would like to export two sets of encryption software to recipients in various
countries in Europe, but before I proceed I would like to find out what your
position is in regard to these exports. The two exports are:
-
An encryption program to be sent to Finland and Germany which provides (in the
encryption part) almost identical encryption capabilities to my "cryptlib"
encryption library which you have been considering as part of the export
application for the Paysafe financial package. In particular the program
provides the ability to perform DES, triple DES, IDEA, RC2, and RC4
conventional encryption and RSA public-key encryption, with a standard RSA key
size of 1024 bits with longer key sizes being available. The program is
distributed in source code form, and would be sent to a student at Helsinki
University for distribution in Finland (and the rest of Europe), and the
University of Erlangen for distribution in Germany (and the rest of Europe).
It provides means for network data and communications encryption, automatic key
exchange and key generation, and data authentication. The program was written
in Finland by the Helsinki University student [1].
-
An encryption library which is functionally almost identical to cryptlib (only
a few implementation details differ). The library implements the DES, triple
DES, Blowfish, IDEA, RC2, RC4, and RC5 encryption algorithms, MD2, MD4, MD5,
and SHA hash algorithms, and RSA and Diffie-Hellman public-key encryption.
These are all identical to the functionality of cryptlib. The library is
distributed in source code form, and would be sent to a student at the Centrum
voor Wiskunde en Informatica for distribution in the Netherlands (and the rest
of Europe), and to Cambridge University for distribution in the UK (and the
rest of Europe). The library is functionally almost identical to cryptlib, and
was written in the Netherlands by a CWI student (not the same one as it would
be sent to) [2].
In each of these four cases, what would be the requirements for export of the
code?
Yours sincerely,
Peter Gutmann
[1] The intent was to determine whether sending the code back to the person who
wrote it, and a person in another country, was OK.
[2] The intent was to determine whether sending the code back to someone who
occupied the office next to the person who wrote it, and an academic
institution in another country, was OK.