[Owasp-leaders] OWASP Service ticket # 07479 - Crypto Self-registration for Category 5, Part 2 of the EAR

Kevin W. Wall kevin.w.wall at gmail.com
Fri Feb 19 06:48:43 UTC 2016

Based on some recent discussion threads on a non-OWASP
cryptography-related mailing list that I follow, I have come to the
conclusion that OWASP projects that use or provide cryptography may be
required to (self)register for Category 5, Part 2 of the EAR, which
has to do with export regulations of cryptography. (Note: Registration
does NOT imply restriction. I just want to be clear on that.)
Essentially, what I am referring to is:

I am hoping that I am wrong (partly because I'm sure where to start),
but since IANAL, I am hoping that someone who as either 1) gone
through this before and can point me in the right direction, or 2) has
a legal background can provide some pointers and advice, or who says
3) I'm an attorney and I'd volunteer some free time to help out OWASP
and ESAPI, etc.

I originally submitted this to the OWASP "Contact Us" link. Here is my
original request (ticket # 07479):

> Need advice from OWASP legal counsel regarding whether the OWASP ESAPI
> Project needs to file notification to BIS regarding encryption notification.
> At first I thought that because ESAPI was clearly considered as a mechanism
> intended for "Information Security" and did not actually distribute any
> cryptographic libraries, that this was not required, but now I am no longer
> so certain. I'd prefer not to have to register unless we are required.

and Paul's sage advice:

On Wed, Feb 17, 2016 at 2:00 PM, Paul Ritchie <paul.ritchie at owasp.org> wrote:
> Hi Kevin - You sent in a question to our Contact Us service center, # 07479
> about whether legal counsel review was needed.  See your inquiry below.
> Kevin - Couple of considerations here, so lets address each and determine
> best path forward.
> 1.  First - lets review the 'ownership' of the project.  If the ESAPI
> project is 100% being produced under the OWASP branding and umbrella, then
> OWASP would need to work on this answer.
> But, if your company is also hosting part of this project, and you or your
> company retains ultimate ownership of the project.....and OWASP is just
> given license to use or distribute....then the responsibility to get legal
> review falls back on your company.
>>> Actually you may find that your company has many more legal resources to
>>> pull upon than OWASP.
> 2.  OWASP does have legal counsel, but of course it will cost for them to do
> this research and offer advice.  This is pretty complex stuff, so legal fees
> are probably $300-500 per hour.    It would most likely be charged to your
> Project budget, or 'shared' 50/50 with your project.
>>>  So, how critical is it to find this out now?  If we "are" at a critical
>>> path....OK, lets get this resolved.
> 3.  Lets Ask the Community first.
>>>  We have a ton of experts or at least people with experience and we can
>>> ask them for advice!
>>>  Can you craft an email out to the leaders list describing the
>>> issue......with enough detail facts for someone to comment?
>>>  At a minimum, you could also ask community members to contact you
>>> directly for additional details.
> @Kevin - How about we ask the community for their advice based on 'real
> experience' before we go burn time with an Attorney?
> <...deleted my original request, reproduced above>
> Best Regards, Paul Ritchie
> OWASP Executive Director
> paul.ritchie at owasp.org

So, I am hoping that someone on the leaders list will be able to shed
some light here. Many of the links on the BIS site referred to
non-existent servers so that's one reason why I got lost trying to
track this down myself.

In the meantime, let me share why I think that ESAPI needs to be registered.

The "Easy Button" approach, you're told to follow "Flowchart 1", which is at:

For Flowchart 1...
Decision Box 1: Yes, ESAPI contains code to use / assist with encryption
Decision Box 2: No, ESAPI is not designed for medical end users
Decision Box 3: No, ESAPI is not "decontrolled" based on Note 4. Note 4 is here:

(Only our USG would make #Three refer to Note 4. :)
   Following the logic outlined in Note 4, to qualify as being
decontrolled, one must meet ALL the conditions.
         ESAPI fails to meet condition (a)(1), because it's primary
purpose IS to enhance "Information Security".  It _may_ also fail meet
condition (b), depending on the legal meaning of "The cryptographic
functionality is limited to supporting their primary function or set
of functions". I'm not really sure how to interpret that, but if it
fails (a)(1) it is not a decontrolled item. [Note @Jeff Williams:
Apparently this "note 4" previously used to refer to "encryption as an
ancillary function", and one could argue that ESAPI's use of
encryption was ancillary. They have since replaced that wording with
the present wording, but that may be why you though this didn't apply

(back to Flowchart 1)
Decision Box 4: No, ESAPI's use of encryption is not related to IP or
copyright protection.

So then we are told to proceed to Flow Chart 2, which you can find here:

Flowchart 2:

Decision Box 1: Yes, ESAPI is free, open source code published under
the New BSD License and freely and anonymously available for download
on GitHub.com and from Maven Central (search.maven.org) as well as
possibly being mirrored at many other places.  As a result, we are
told to

        Self Classify as 5D002. See
        License Exception TSU (740.13(e))
        for notification requirement

And that's where I get lost because I run into links with non-existent
servers (well, at least ones with no public DNS entries).

So where do I go from here? One person on the cryptography mailing
list said that they did this (the self-registration) themselves about
5 years ago and it only took them about an hour, so I'm willing to
give it a shot if I can figure out the exact steps I need to take.

Thanks in advance for any help that you can provide.

ESAPI project co-leader
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the OWASP-Leaders mailing list