Crypto Export Restrictions

From Net-SNMP Wiki
Jump to: navigation, search
Good Answer

This is a Good Answer article. It was likely created as a response to a question on a Net-SNMP Mailing List and written up here for others to see. It likely covers material not yet in the FAQ or in the Tutorial but may someday be moved there

Question

I intend to use Net-SNMP in one of our products. We want to sell our product to the US and other countries, so we have to take care about export classification and regulations.

As netsnmp supports SNMP V3, I assume that Net-SNMP has encryption algorithms included, and this would require an ECCN (export classification control number), and if stronger encryption is included, a CCATS number as well. Are those numbers available?

Answer

Our cryptography software portions (AES and DES) actually come from OpenSSL and are not implemented internally. Additionally, back when export restrictions were relaxed for open source software, all that is required for an open source package thats provides releases on a web site is to send proper notification to the US export office (which we did), but the export office does not respond to such queries (they only log it).

It's up to manufactures of devices and software that intend to sell their devices over-seas to go through proper paperwork for the device that includes open source software. IE, nothing we could give you would satisfy your own requirements. We strongly suggest you consult with an export control lawyer as this community is not a legal service that you can count on.