Hawaiʻi's Technology Community
Export of software using strong encryption
Or, more precisely, software that makes use of the Legion of the Bouncy Castle's crypto APIs.
I am starting to broadly sketch architecture on a software solution that needs to make use of RSA-based public-keys encryption and OpenPGP. Wanting to avoid the GPL, I am looking very closely at the Bouncy Castle provider and optional library for OpenPGP, since I already have used it in the past, and it is under a more flexible MIT-like licensing scheme. However, my customer in Japan (I'm in Japan, too) is very hesitant to use strong encryption due to the Japanese government cracking down on export of anything that may have military applications, just like ITAR in the US (article on Yamaha in China).
My understanding on BouncyCastle is that, since it is an Australian product, I should not be bound by any export restrictions, whether I am creating my software in the US or Japan.
Secondly, since BouncyCastle is free and open software clearly in the public domain, this should exempt me from normal export restrictions on strong encryption.
I am not a lawyer, and I don't know if any TechHui-ans actually are, but if anyone has any experience in exporting software that makes use of strong encryption, I would love to hear your thoughts on this.
I am starting to broadly sketch architecture on a software solution that needs to make use of RSA-based public-keys encryption and OpenPGP. Wanting to avoid the GPL, I am looking very closely at the Bouncy Castle provider and optional library for OpenPGP, since I already have used it in the past, and it is under a more flexible MIT-like licensing scheme. However, my customer in Japan (I'm in Japan, too) is very hesitant to use strong encryption due to the Japanese government cracking down on export of anything that may have military applications, just like ITAR in the US (article on Yamaha in China).
My understanding on BouncyCastle is that, since it is an Australian product, I should not be bound by any export restrictions, whether I am creating my software in the US or Japan.
Secondly, since BouncyCastle is free and open software clearly in the public domain, this should exempt me from normal export restrictions on strong encryption.
I am not a lawyer, and I don't know if any TechHui-ans actually are, but if anyone has any experience in exporting software that makes use of strong encryption, I would love to hear your thoughts on this.
Views: 314
Replies to This Discussion
-
Permalink Reply by Daniel Leuck on
-
I remember using the lightweight (non-JCE) version of the Bouncy Castle API for a customer about six years ago. Those guys have been around forever. Its a great library. In addition to learning a little about cryptography (I'm still a cryptography dummy) it also introduced me to some new design patterns.
Brooke: I am not a lawyer, and I don't know if any TechHui-ans actually are, but if anyone has any experience in exporting software that makes use of strong encryption, I would love to hear your thoughts on this.
Greg Kim is used by a lot of local tech start ups. Greg practices law in Hawaii, but he might be able to point you in the right direction.
Crypographic laws in the US have always been.... interesting. Lawmakers have such a hard time keeping up with the times. Remember those RSA encryption t-shirts featuring Perl snippets? They were apparently considered munitions under US law. -
-
Permalink Reply by Sub Callnop on
-
If it is really a concern, you can always give your customer instructions on how to install bouncy castle themselves. That way you have not exported cryptographic code/libraries from Japan. Just making a guess that your customer/partner might be in China, right? This would definitely be a concern. However, if they can a) download bouncycastle's libraries legally, and b) have the know how to install a non-sun provider themselves, then it might be easier than figuring out if you can export such libraries from Japan.
We can all agree that this is a silly issue since the algorithms and software implementations are easy to find on the internet. The cat's out of the bag. However, I don't think any of us would want to be the ones explaining how silly these laws are in court :). -
-
Permalink Reply by Brooke Fujita on
-
@Sub Callnop
Sadly, I don't think the end users will be savvy enough to even install Java themselves, for example, so I am also looking seriously at using Java Web Start to kick it all off...
But to return to the main thread, yes, the client-side could could end up in China or the Middle East. Hence my customer is quite hesitant to use any encryption since the Japanese laws are strict and also very hard to comprehend in the first place. Interesting thing is, I see that places like Symantec Japan, Adobe Japan, etc., all seem to have products that make use of the Bouncy Castle API, with a caveat in the license files stating that their software is not subject to Japan or US export restrictions on encryption. But I need to be absolutely sure here...
The funniest thing, however, is that I could make all of this go away if I can convince my customer to give up on a standalone client and simple just do everything over the web using SSL. I don't think there are any restrictions then, are there? -
-
-
A short follow-up....
Digging around, I found that for Japanese businesses wishing to export products that might be using encryption, JETRO will field questions and give you a start. The information is in Japanese, but for example, here's a Q&A on Export Control Classification Numbers.
I will still try to convince my customer to go with a complete web-based solution, but I've prepared an ugly hack architecture using Password-Based Encryption using DES along with a shared secret between the users and the system. Since DES uses a 56-bit key, so I will be able to sidestep US and Japanese export restrictions. The data to be protected is temporal in nature, so I do not need to use encryption to protect secrets indefinitely. However, I do hear that DES is crackable in less than a day...
Hm... I should actually link this thread to the Japanese Business Group... -
© 2024 Created by Daniel Leuck.
Powered by
