law office of Lee Tien 1452 Curtis Street Berkeley, California 94702 _______________ tien@well.com voice: (510) 525-0817 fax: (510) 525-3015 April 22, 1997 Reference: CLASSIFICATION REQUEST for Integrated DNSSEC Bureau of Export Administration U.S. Department of Commerce 14th Street and Pennsylvania Avenue, N.W. Room 2705 Washington, DC 20444 Dear Sir or Madam: This is a Classification Request pursuant to 15 C.F.R. para. 748.3 of the Export Administration Regulations ("EAR") by Mr. Hugh Daniel for "Integrated DNSSEC," authentication software for improving the security of the Internet's Domain Name System ("DNS"). Form BXA-748P is enclosed. We ask that the Bureau of Export Administration ("BXA") confirm our judgment that Mr. Daniel may freely export this software in both source and object code form without a license because he plans to make the software publicly available, and it is therefore not subject to the EAR under 15 C.F.R. para. 734.3(b)(3)(i). Mr. Daniel in December 1996 submitted a Commodity Jurisdiction Request ("CJR") asking the State Department's Office of Defense Trade Controls ("ODTC") to determine that Integrated DNSSEC was subject to Commerce Department jurisdiction; the CJR was returned without action and Mr. Daniel was directed to contact BXA. A copy of the December CJR, along with a technical description, is enclosed as Attachment 1 to this Request and incorporated by reference. Further details are provided below, but in summary, Integrated DNSSEC is an authentication application consisting of an implementation of Domain Name System Security Extensions ("DNSSEC") known as "TIS/DNSSEC," developed by Trusted Information Systems, Inc. ("TIS") under Defense Advanced Research Projects Agency ("DARPA") sponsorship, integrated with the RSAREF 2.0 toolkit ("RSAREF") released by RSA Data Security, Inc. Because Integrated DNSSEC is authentication software used only to authenticate users or messages and the encryption capability of the software is limited to encryption of data needed for authentication, we believe that: it is not controlled by ECCN 5D002 (see Note to ECCN 5A002 f. and g.); jurisdiction over such software resided at Commerce prior to November 1996; Integrated DNSSEC may be made publicly available without a license. A primary goal of the DARPA contract work performed by TIS was to make the TIS implementation freely available to DNS implementers on the Internet. Mr. Daniel seeks to make Integrated DNSSEC freely available to DNS implementers on the Internet. He works with various free, non-proprietary software distributors, such as those who distribute the non-proprietary version of UNIX known as GNU. After approval for distribution is obtained, he plans to make the software available for download from the Internet Software Consortium World-Wide Web ("Web") page at www.isc.org, and from TIS. He also expects that it will be integrated with several free operating system releases, such as Linux (www.linux.org) and FreeBSD (www.freebsd.org), which are available both online and on CD-ROMs. Furthermore, Mr. Daniel intends to make Integrated DNSSEC publicly available in response to all such requests, either free or at a price that does not exceed the cost of reproduction and distribution. We anticipate that many requests for Integrated DNSSEC will be made via the Internet and that free distribution over the Internet will be the major, but not the only, mode of distribution to users. Thus, Integrated DNSSEC is a "mass market" item in that it is designed for use without further substantial support and will be made available without restriction via electronic mail ("e-mail"), web and file transfer protocol ("ftp") download, telephone and mail requests from users. See Supp. No. 2 to 15 C.F.R. Part 774, General Software Note. Therefore, we request that you find that Mr. Daniel's proposed distribution of Integrated DNSSEC is not subject to the EAR and provide a classification for Integrated DNSSEC that reflects its "mass market" nature and its public availability. The following information is presented for your review and analysis: 1. Description: Integrated DNSSEC adds authentication to the Internet's Domain Name System ("DNS). The main function of the DNS is to associate an Internet address with an Internet host name. It is a critical operational part of the Internet infrastructure. The DNS, however, currently has no security capabilities. It is easy to insert false data into it, and by altering DNS data, a person can pretend to be someone else or redirect communications to go to other than the originally intended destination. Thus, malicious or erroneous information can corrupt the DNS and significantly harm the Internet. To address this problem, the Internet Engineering Task Force ("IETF") designed security extensions based on digital signatures to assure security, integrity and reliability. Under DARPA sponsorship, Trusted Information Systems, Inc., implemented the IETF specifications into its TIS/DNSSEC. These extensions specifically do not provide users with encryption confidentiality; instead, the DNS Security Extensions provide for the distribution and storage of authenticated public keys in the DNS structure. This capability can support other Internet functions in addition to the DNS, so fielding the TIS security extensions for DNS will provide improved security, integrity and reliability for the overall Internet. Integrated DNSSEC consists of the source code for TIS/DNSSEC integrated with the source code for the RSAREF crypto tool kit. TIS/DNSSEC is a modified version of the Berkeley Internet Name Daemon ("BIND") software, the software most widely used for implementing the DNS on the Internet, which is written in the C programming language. It uses RSAREF, also written in the C programming language, as an authentication tool. It does not use any of RSAREF's cryptographic functionality other than in service of authentication. The majority of TIS/DNSSEC is dedicated to handling new resource records (stored information entries in the DNS database) and processing requests and responses for these records. Only a small portion of the TIS/DNSSEC implementation deals with RSAREF. In support of this Classification Request, we have also provided copies of: the TIS/DNSSEC CJ Request (ODTC Case CJ 261-96) and the ODTC letter determining that TIS/DNSSEC is outside State's licensing jurisdiction; the forms issued by BXA with respect to TIS/DNSSEC; and one floppy disk containing the subject source code. (Attachments 2, 3 and 4, incorporated by reference into this Request). The floppies each contain a DOS file system. There is a single file on each floppy, called "tisdnssc.tgv". This is a gzip'd tar file which contains the complete source code distribution for TIS/DNSSEC. Using these commands: gzip -d tisdnssc.tar tar xvvf tisdnssc.tar the distribution can be extracted. This will create a new directory called sec_bind494-b131-complete, which has all the files in it. In that directory is a file named README_COMPLETE which is in addition to the files from the TIS release and the RSAREF release. The README_COMPLETE simply states: " Complete distribution of TIS/DNSSEC This directory integrates the Trusted Information Systems release of TIS/DNSSEC and the RSA Data Security release of RSAREF. The only changes are minor edits in the top-level Makefiles of the two distributions. The result is a single distribution which provides complete source code for authenticated domain name services. See TIS's README_SEC for details on the program, and INSTALL_SEC for the installation instructions." The only changes from the two distributions are: Removed packing materials from the RSAREF release. Renamed top-level directory to add -complete. Edited Makefile to add rsaref/lib to the SUBDIRS list and to change the default compiler on SunOS to gcc. Copied rsaref/install/unix/makefile to rsaref/lib/makefile. Edited rsaref/lib/makefile to avoid a name conflict with the top-level Makefile. Added README_COMPLETE file. The commodity has been tested and it compiles without further integration, following the directions in the INSTALL_SEC file, on SunOS using GCC. The RSAREF distribution includes a sample program that can do file encryption, for testing the distribution. The program cannot be removed from the distribution because the RSAREF program license agreement requires consent from RSA Data Security for changes to the release. However, this program is restricted to using one of three keys, two of which are wired into the program (and are thus known) and the third of which is "randomly" generated by RSAREF itself (to test the key generator). However, the random number generator in the test program has been crippled so that it only gets fed zeros: its output is completely predictable. In other words, the program is not useful for file encryption; it provides no confidentiality because all possible keys are pre-compromised. 2. Origin of Commodity: The specifications for the DNS Security ("DNSSEC") Extensions were published by the IETF. The extensions provide the specific mechanisms (data origin authentication, data integrity, key distribution, transaction authentication, request authentication) to integrate security, integrity and reliability into the DNS. Under DARPA sponsorship (Contract # DABT63-94-C-0001, "Internet Infrastructure Protection," March 1, 1994), TIS developed a reference implementation of the DNSSEC specification, TIS/DNSSEC. Integrated DNSSEC will, after compilation and installation by a trained person, perform authentication on its own. It is designed for installation without further substantial support by the supplier. TIS/DNSSEC, as released by TIS, did not function to authenticate on its own; it requires that the DNS implementer obtain and compile RSAREF separately. RSAREF is software developed by RSA Data Security, Inc., and made available without cost per the RSA Program License Agreement. Although RSAREF has cryptographic functionality, Integrated DNSSEC does not use any of RSAREF's cryptographic functionality other than that needed to perform authentication. In September 1996, TIS obtained approval from BXA to make TIS/DNSSEC freely available to DNS implementers on the Internet. See Attachment 3. However, although TIS/DNSSEC requires RSAREF to be functional, it is published without RSAREF. Thus, TIS/DNSSEC is of limited value because DNS implementers must obtain and compile RSAREF separately before being able to authenticate. The goal of this Classification Request is to make it possible for DNS implementers to have DNS authentication in a single integrated package. 3. Current Use: The TIS/DNSSEC software was recently released. Integrated DNSSEC would be a new release; after approval for distribution is obtained, Mr. Daniel plans to make the software available for download from the Internet Software Consortium web page at www.isc.org, and from TIS. He also expects that it will be integrated with several free operating system releases, such as Linux (www.linux.org) and FreeBSD (www.freebsd.org), which are available both online and on CD-ROMs. Integrated DNSSEC is a "mass market" item designed to for use without further substantial support from Mr. Daniel and will be made available without restriction via electronic mail ("e-mail"), web and file transfer protocol ("ftp") download, telephone and mail requests from users. Mr. Daniel intends to make Integrated DNSSEC publicly available in response to all such requests, either free or at a price that does not exceed the cost of reproduction and distribution. We anticipate that many requests for Integrated DNSSEC will be made via the Internet and that free distribution over the Internet will be the major, but not the only, mode of distribution to users. 4. Special Characteristics: Integrated DNSSEC is not designed to meet specific military standards or specifications, is not a "hardened" military device, does not contain TEMPEST capability, and is not intended for surveillance or intelligence gathering. The package's only use of encryption for confidentiality is for the protection of stored private signature-generation keys via a DES function in RSAREF, and for testing the functioning of the underlying cryptographic library using known keys, as described above. 5. Other Information: Integrated DNSSEC is implemented to provide authentication and integrity assurance mechanisms for the Internet DNS. The package contains RSAREF, but only uses RSAREF for authentication and to protect stored private signature-generation keys. Mr. Daniel seeks to make Integrated DNSSEC publicly available to DNS implementers on the Internet. Making it publicly available will increase the security, integrity and reliability of the Internet, a primary goal of the DARPA-sponsored development of TIS/DNSSEC. The advantage of Integrated DNSSEC over TIS/DNSSEC is that it contains everything necessary to implement DNSSEC. Future versions are planned for the BIND 8 release, which is not yet in stable form. 6. Recommendation and Justification: We recommend that BXA find that Mr. Daniel's proposed distribution of Integrated DNSSEC, as described above, is not subject to the EAR under 15 C.F.R. para. 734.3(b)(3)(i) because he will make it publicly available. By way of background, the ITAR had previously exempted software otherwise within U.S. Munitions List ("USML") Category XIII(b)(1) from State jurisdiction if it was "[l]imited to access control" or "[l]imited to data authentication . . . to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication." 22 C.F.R. para. 121.1 Category XIII(b)(1)(v), (vi). Because Integrated DNSSEC will prevent persons from misdirecting Internet traffic through unauthorized alteration of DNS data, which can cause Internet outages, it should also have qualified for exemption as software "designed . . . to protect against malicious computer damage." 22 C.F.R. para. 121.1 Category XIII(b)(1)(ix). These points were made in Mr. Daniel's December 1996 CJR, which was returned without action. See Attachment 1. We believe that the EAR contains exemptions similar to ITAR's "access control" and "data authentication" exemptions. We further believe that under the EAR this software is eligible for public availability treatment under 15 C.F.R. para. 734.3(b)(3)(i). Mr. Daniel intends to make Integrated DNSSEC publicly available in response to all such requests, either free or at a price that does not exceed the cost of reproduction and distribution. The EAR specifically provides that "[i]f the source code of a software program is publicly available, then the machine-readable code compiled from the source code is software that is publicly available and therefore not subject to the EAR." Supplement No. 1 to Part 734, Answer to Question G(1); see also id., Answer to Question I(3). ECCN 5A002 Note f. and g. appears to set forth exemptions equivalent to the above-mentioned ITAR exemptions. 15 C.F.R. Part 774, Category 5.II. (information security). This language states, in pertinent part, that: Note: 5A002 does not control: * * * f. Access control equipment . . . that protects password or personal identification numbers (PIN) or similar data to prevent unauthorized access to facilities but does not allow for encryption of files or text, except as directly related to the password or PIN protection; g. Data authentication equipment that calculates a Message Authentication Code (MAC) or similar result to ensure no alteration of text has taken place, or to authenticate users, but does not allow for encryption of data, text or other media other than that needed for the authentication . . . . While 5A002 applies to equipment, the regulations defining ECCN 5D002 (encryption software) state that: Note: 5D002 does not control: * * * b. "Software" providing any of the functions of equipment excluded from control under the Note to 5A002. As explained above, Integrated DNSSEC is implemented to provide only authentication and integrity assurance mechanisms for the Internet DNS. BXA has previously recognized that the TIS/DNSSEC implementation is "mass market" software without "encryption item" ("EI") control. See Attachment 3 (TIS-BXA 6002L). Integrated DNSSEC is merely the already exportable TIS/DNSSEC combined with the library that makes it functional to perform authentication. The application only provides the capability to authenticate. It provides no confidentiality capability to users. There is no application for general file or text encryption functionality. While the application contains cryptographic algorithms present within RSAREF, the application contains no interface to RSAREF other than for authentication and test purposes. Integrated DNSSEC's interface to RSAREF encryption is limited to the use of a DES function for protecting stored private signature-generation keys. No user access to RSAREF's encryption capabilities is provided; the only uses of encryption for confidentiality are within a restricted internal function protecting private keys used for signature generation, and within a test scaffold that uses pre-selected, known key values. Thus, the included library validation program is incapable of meaningful encryption because it is deliberately crippled. The basic exponentiation algorithm is of course capable of performing encryption, but Integrated DNSSEC only uses it for authentication. Any software to perform secure authentication internally contains an encryption algorithm that has the potential to provide confidentiality, so the applicability of the authentication exemption should turn only on whether Integrated DNSSEC functions to authenticate. Thus, we believe Integrated DNSSEC contains no more encryption than is needed for assuring authentication and integrity of Internet domain names and addresses as specified by the IETF's DNS Security Extensions. Because Integrated DNSSEC is "software" that has the functions specified in ECCN 5A002 Note f. or g., we believe that Integrated DNSSEC is not EI software within ECCN 5D002. Therefore, it appears Integrated DNSSEC is not on the Commerce Control List and is not subject to the EAR at all. Some other classification may apply to Integrated DNSSEC. We have been unable to determine precisely which ECCN classification should be applied to Integrated DNSSEC. However, we believe the ECCN classification is irrelevant in this case. It is our understanding that because Mr. Daniel's proposed activities of "export" consist of making the software publicly available per 15 C.F.R. para. 734.3(b)(3)(i) and 15 C.F.R. para. 734.7(b), he does not need a license. We are aware that under the recently promulgated "encryption item" ("EI") regulations, 61 Fed.Reg. 68572 (Dec. 30, 1996), EI software, i.e. ECCN 5D002, is not eligible for public availability treatment. We believe that these provisions do not apply to Integrated DNSSEC because it cannot be used to encrypt and therefore is not "encryption software" within the meaning of the EAR. Inasmuch as the provisions above only refer to "encryption software controlled under ECCN 5D002 for 'EI' reasons on the Commerce Control List [CCL]," e.g., 15 C.F.R. para. 734.7(c), and authentication software like Integrated DNSSEC is expressly excluded from 5D002 as explained above, it should be possible to make Integrated DNSSEC publicly available under 15 C.F.R. para. 734.7(b). We further note that, as outlined in the December CJR to State , Integrated DNSSEC fell within specific ITAR exemptions for "access control," "data authentication," and "malicious damage prevention" that have been in place for several years. This means that jurisdiction over software within these exemptions was transferred to Commerce prior to the general transfer of encryption items from the USML to the CCL by Executive Order 13026 of November 15, 1996 (61 Fed.Reg. 58767). This is significant because the EI regulations plainly state that the "EI" reason for control "applies only to encryption items transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O. 13026 of November 15, 1996." 15 C.F.R. Part 774, Category 5.II., 5A002; see also id. at 5D002. Jurisdiction over software within the exemptions on which we rely was transferred earlier; the March 25, 1996 recodification of the EAR contains the enumerated exemptions. See ECCN 5D002, Note ("5D002 does not control . . . [s]oftware providing any of the functions of equipment excluded from control under the Note to 5A002"), 61 Fed.Reg. 13005 (March 25, 1996); ECCN 5A002, Note ("5A002 does not control . . . access control equipment [and] [d]ata authentication equipment . . . [that] does not allow for encryption . . . other than that needed for the authentication"), 61 Fed.Reg. 13004 (March 25, 1996). We again note that in June 1996, the ODTC determined TIS/DNSSEC to be outside State's licensing jurisdiction. See Attachment 2. Thus, Commerce had jurisdiction over such access control and data authentication software prior to November 15, 1996. Because Integrated DNSSEC is access control or authentication software, there cannot be "EI" controls on such software. And, because all software other than EI software can be made publicly available, Integrated DNSSEC can be made publicly available. It is our position, then, that Integrated DNSSEC is specifically excluded from ECCN 5D002 by 5D002 Note and 5A002 Notes f. and g., or was subject to Commerce Department jurisdiction prior to the President's actions of November 15, 1996. Either way, it ought not be subject to the provisions of the new EI regulations that deny public availability treatment for encryption software. It follows that Integrated DNSSEC can receive public availability treatment. We therefore respectfully request that BXA provide a Classification Request determination stating that Mr. Daniel's proposed distribution of Integrated DNSSEC in source and object code form is not subject to the EAR. If the activities described in this Classification Request do not comport with your public availability regulations, or if we have incorrectly interpreted any of your regulations, please inform me of the errors and of what other steps must be taken. I can be contacted at (510) 525-0817 (voice), (510) 525-3015 (fax) or tien@well.com (e-mail). Sincerely yours, Lee Tien ENCLOSURES: Form BXA-748P Attachment 1: Daniel CJ Req. (with TIS/DNSSEC description) and ODTC RWA Attachment 2: TIS/DNSSEC CJ Req. and ODTC letter Attachment 3: BXA forms re: TIS/DNSSEC Attachment 4: floppy disk w/Integrated DNSSEC source code