law office of
Lee Tien
1452 Curtis Street
Berkeley, California  94702
_______________
  tien@well.com
voice:  (510) 525-0817
fax:  (510) 525-3015

April 22, 1997

Reference:  CLASSIFICATION REQUEST for Integrated DNSSEC


Bureau of Export Administration
U.S. Department of Commerce
14th Street and Pennsylvania Avenue, N.W.
Room 2705
Washington, DC  20444

Dear Sir or Madam:

This is a Classification Request pursuant to 15 C.F.R. para. 748.3 of the
Export Administration Regulations ("EAR") by Mr. Hugh Daniel for
"Integrated DNSSEC," authentication software for improving the security of
the Internet's Domain Name System ("DNS").  Form BXA-748P is enclosed.
We ask that the Bureau of Export Administration ("BXA") confirm our
judgment that Mr. Daniel may freely export this software in both source and
object code form without a license because he plans to make the software
publicly available, and it is therefore not subject to the EAR under 15
C.F.R. para. 734.3(b)(3)(i).  Mr. Daniel in December 1996 submitted a Commodity
Jurisdiction Request ("CJR") asking the State Department's Office of
Defense Trade Controls ("ODTC") to determine that Integrated DNSSEC was
subject to Commerce Department jurisdiction; the CJR was returned without
action and Mr. Daniel was directed to contact BXA.  A copy of the December
CJR, along with a technical description, is enclosed as Attachment 1 to
this Request and incorporated by reference.

Further details are provided below, but in summary, Integrated DNSSEC is an
authentication application consisting of an implementation of Domain Name
System Security Extensions ("DNSSEC") known as "TIS/DNSSEC," developed by
Trusted Information Systems, Inc. ("TIS") under Defense Advanced Research
Projects Agency ("DARPA") sponsorship, integrated with the RSAREF 2.0
toolkit ("RSAREF") released by RSA Data Security, Inc.

Because Integrated DNSSEC is authentication software used only to
authenticate users or messages and the encryption capability of the
software is limited to encryption of data needed for authentication, we
believe that:  it is not controlled by ECCN 5D002 (see Note to ECCN 5A002
f. and g.); jurisdiction over such software resided at Commerce prior to
November 1996; Integrated DNSSEC may be made publicly available without a
license.

A primary goal of the DARPA contract work performed by TIS was to make the
TIS implementation freely available to DNS implementers on the Internet.
Mr. Daniel seeks to make Integrated DNSSEC freely available to DNS
implementers on the Internet.  He works with various free, non-proprietary
software distributors, such as those who distribute the non-proprietary
version of UNIX known as GNU.  After approval for distribution is obtained,
he plans to make the software available for download from the Internet
Software Consortium World-Wide Web ("Web") page at www.isc.org, and from
TIS.  He also expects that it will be integrated with several free
operating system releases, such as Linux (www.linux.org) and FreeBSD
(www.freebsd.org), which are available both online and on CD-ROMs.
Furthermore, Mr. Daniel intends to make Integrated DNSSEC publicly
available in response to all such requests, either free or at a price that
does not exceed the cost of reproduction and distribution.  We anticipate
that many requests for Integrated DNSSEC will be made via the Internet and
that free distribution over the Internet will be the major, but not the
only, mode of distribution to users.

Thus, Integrated DNSSEC is a "mass market" item in that it is designed for
use without further substantial support and will be made available without
restriction via electronic mail ("e-mail"), web and file transfer protocol
("ftp") download, telephone and mail requests from users.  See Supp. No. 2
to 15 C.F.R. Part 774, General Software Note.

Therefore, we request that you find that Mr. Daniel's proposed distribution
of Integrated DNSSEC is not subject to the EAR and provide a classification
for Integrated DNSSEC that reflects its "mass market" nature and its public
availability.

The following information is presented for your review and analysis:

1.	Description:  Integrated DNSSEC adds authentication to the
Internet's Domain Name System ("DNS).  The main function of the DNS is to
associate an Internet address with an Internet host name.  It is a critical
operational part of the Internet infrastructure.  The DNS, however,
currently has no security capabilities.  It is easy to insert false data
into it, and by altering DNS data, a person can pretend to be someone else
or redirect communications to go to other than the originally intended
destination.  Thus, malicious or erroneous information can corrupt the DNS
and significantly harm the Internet.

To address this problem, the Internet Engineering Task Force ("IETF")
designed security extensions based on digital signatures to assure
security, integrity and reliability.  Under DARPA sponsorship, Trusted
Information Systems, Inc., implemented the IETF specifications into its
TIS/DNSSEC.  These extensions specifically do not provide users with
encryption confidentiality; instead, the DNS Security Extensions provide
for the distribution and storage of authenticated public keys in the DNS
structure.  This capability can support other Internet functions in
addition to the DNS, so fielding the TIS security extensions for DNS will
provide improved security, integrity and reliability for the overall
Internet.

Integrated DNSSEC consists of the source code for TIS/DNSSEC integrated
with the source code for the RSAREF crypto tool kit.  TIS/DNSSEC is a
modified version of the Berkeley Internet Name Daemon ("BIND") software,
the software most widely used for implementing the DNS on the Internet,
which is written in the C programming language.  It uses RSAREF, also
written in the C programming language, as an authentication tool.  It does
not use any of RSAREF's cryptographic functionality other than in service
of authentication.  The majority of TIS/DNSSEC is dedicated to handling new
resource records (stored information entries in the DNS database) and
processing requests and responses for these records.  Only a small portion
of the TIS/DNSSEC implementation deals with RSAREF.

In support of this Classification Request, we have also provided copies of:
the TIS/DNSSEC CJ Request (ODTC Case CJ 261-96) and the ODTC letter
determining that TIS/DNSSEC is outside State's licensing jurisdiction; the
forms issued by BXA with respect to TIS/DNSSEC; and one floppy disk
containing the subject source code.  (Attachments 2, 3 and 4, incorporated
by reference into this Request).

The floppies each contain a DOS file system.  There is a single file on
each floppy, called "tisdnssc.tgv".  This is a gzip'd tar file which
contains the complete source code distribution for TIS/DNSSEC.

Using these commands:

        gzip -d <tisdnssc.tgv >tisdnssc.tar
        tar xvvf tisdnssc.tar

the distribution can be extracted.  This will create a new directory called
sec_bind494-b131-complete, which has all the files in it.  In that
directory is a file named README_COMPLETE which is in addition to the files
from the TIS release and the RSAREF release.

The README_COMPLETE simply states:

"        Complete distribution of TIS/DNSSEC

This directory integrates the Trusted Information Systems release of
TIS/DNSSEC and the RSA Data Security release of RSAREF.  The only changes
are minor edits in the top-level Makefiles of the two distributions.  The
result is a single distribution which provides complete source code for
authenticated domain name services.

See TIS's README_SEC for details on the program, and INSTALL_SEC for the
installation instructions."

The only changes from the two distributions are:

        Removed packing materials from the RSAREF release.
        Renamed top-level directory to add -complete.
        Edited Makefile to add rsaref/lib to the SUBDIRS list and to
                change the default compiler on SunOS to gcc.
        Copied rsaref/install/unix/makefile to rsaref/lib/makefile.
        Edited rsaref/lib/makefile to avoid a name conflict with the
                top-level Makefile.
        Added README_COMPLETE file.

The commodity has been tested and it compiles without further integration,
following the directions in the INSTALL_SEC file, on SunOS using GCC.

The RSAREF distribution includes a sample program that can do file
encryption, for testing the distribution.  The program cannot be removed
from the distribution because the RSAREF program license agreement requires
consent from RSA Data Security for changes to the release.  However, this
program is restricted to using one of three keys, two of which are wired
into the program (and are thus known) and the third of which is "randomly"
generated by RSAREF itself (to test the key generator).  However, the
random number generator in the test program has been crippled so that it
only gets fed zeros: its output is completely predictable.  In other words,
the program is not useful for file encryption; it provides no
confidentiality because all possible keys are pre-compromised.

2.	Origin of Commodity:  The specifications for the DNS Security
("DNSSEC") Extensions were published by the IETF.  The extensions provide
the specific mechanisms (data origin authentication, data integrity, key
distribution, transaction authentication, request authentication) to
integrate security, integrity and reliability into the DNS.  Under DARPA
sponsorship (Contract # DABT63-94-C-0001, "Internet Infrastructure
Protection," March 1, 1994), TIS developed a reference implementation of
the DNSSEC specification, TIS/DNSSEC.

Integrated DNSSEC will, after compilation and installation by a trained
person, perform authentication on its own.  It is designed for installation
without further substantial support by the supplier.  TIS/DNSSEC, as
released by TIS, did not function to authenticate on its own; it requires
that the DNS implementer obtain and compile RSAREF separately.

RSAREF is software developed by RSA Data Security, Inc., and made available
without cost per the RSA Program License Agreement.  Although RSAREF has
cryptographic functionality, Integrated DNSSEC does not use any of RSAREF's
cryptographic functionality other than that needed to perform
authentication.

In September 1996, TIS obtained approval from BXA to make TIS/DNSSEC freely
available to DNS implementers on the Internet.  See Attachment 3.  However,
although TIS/DNSSEC requires RSAREF to be functional, it is published
without RSAREF.  Thus, TIS/DNSSEC is of limited value because DNS
implementers must obtain and compile RSAREF separately before being able to
authenticate.

The goal of this Classification Request is to make it possible for DNS
implementers to have DNS authentication in a single integrated package.

3.	Current Use:  The TIS/DNSSEC software was recently released.
Integrated DNSSEC would be a new release; after approval for distribution
is obtained, Mr. Daniel plans to make the software available for download
from the Internet Software Consortium web page at www.isc.org, and from
TIS.  He also expects that it will be integrated with several free
operating system releases, such as Linux (www.linux.org) and FreeBSD
(www.freebsd.org), which are available both online and on CD-ROMs.
Integrated DNSSEC is a "mass market" item designed to for use without
further substantial support from Mr. Daniel and will be made available
without restriction via electronic mail ("e-mail"), web and file transfer
protocol ("ftp") download, telephone and mail requests from users.  Mr.
Daniel intends to make Integrated DNSSEC publicly available in response to
all such requests, either free or at a price that does not exceed the cost
of reproduction and distribution.

We anticipate that many requests for Integrated DNSSEC will be made via the
Internet and that free distribution over the Internet will be the major,
but not the only, mode of distribution to users.

4.	Special Characteristics:  Integrated DNSSEC is not designed to meet
specific military standards or specifications, is not a "hardened" military
device, does not contain TEMPEST capability, and is not intended for
surveillance or intelligence gathering.  The package's only use of
encryption for confidentiality is for the protection of stored private
signature-generation keys via a DES function in RSAREF, and for testing the
functioning of the underlying cryptographic library using known keys, as
described above.

5.	Other Information:  Integrated DNSSEC is implemented to provide
authentication and integrity assurance mechanisms for the Internet DNS.
The package contains RSAREF, but only uses RSAREF for authentication and to
protect stored private signature-generation keys.

Mr. Daniel seeks to make Integrated DNSSEC publicly available to DNS
implementers on the Internet.  Making it publicly available will increase
the security, integrity and reliability of the Internet, a primary goal of
the DARPA-sponsored development of TIS/DNSSEC.  The advantage of Integrated
DNSSEC over TIS/DNSSEC is that it contains everything necessary to
implement DNSSEC.  Future versions are planned for the BIND 8 release,
which is not yet in stable form.

6.	Recommendation and Justification:  We recommend that BXA find that
Mr. Daniel's proposed distribution of Integrated DNSSEC, as described
above, is not subject to the EAR under 15 C.F.R. para. 734.3(b)(3)(i) because
he will make it publicly available.

By way of background, the ITAR had previously exempted software otherwise
within U.S. Munitions List ("USML") Category XIII(b)(1) from State
jurisdiction if it was "[l]imited to access control" or  "[l]imited to data
authentication . . . to ensure no alteration of text has taken place, or to
authenticate users, but does not allow for encryption of data, text or
other media other than that needed for the authentication."  22 C.F.R. para.
121.1 Category XIII(b)(1)(v), (vi).  Because Integrated DNSSEC will prevent
persons from misdirecting Internet traffic through unauthorized alteration
of DNS data, which can cause Internet outages, it should also have
qualified for exemption as software "designed . . . to protect against
malicious computer damage."  22 C.F.R. para. 121.1 Category XIII(b)(1)(ix).
These points were made in Mr. Daniel's December 1996 CJR, which was
returned without action.   See Attachment 1.

We believe that the EAR contains exemptions similar to ITAR's "access
control" and "data authentication" exemptions.  We further believe that
under the EAR this software is eligible for public availability treatment
under 15 C.F.R. para. 734.3(b)(3)(i).  Mr. Daniel intends to make Integrated
DNSSEC publicly available in response to all such requests, either free or
at a price that does not exceed the cost of reproduction and distribution.
The EAR specifically provides that "[i]f the source code of a software
program is publicly available, then the machine-readable code compiled from
the source code is software that is publicly available and therefore not
subject to the EAR."  Supplement No. 1 to Part 734, Answer to Question
G(1); see also id., Answer to Question I(3).

ECCN 5A002 Note f. and g. appears to set forth exemptions equivalent to the
above-mentioned ITAR exemptions.  15 C.F.R. Part 774, Category 5.II.
(information security).  This language states, in pertinent part, that:
Note: 5A002 does not control:
* * *
f.  Access control equipment . . . that protects password or personal
identification numbers (PIN) or similar data to prevent unauthorized access
to facilities but does not allow for encryption of files or text, except as
directly related to the password or PIN protection;
g.  Data authentication equipment that calculates a Message Authentication
Code (MAC) or similar result to ensure no alteration of text has taken
place, or to authenticate users, but does not allow for encryption of data,
text or other media other than that needed for the authentication . . . .

While 5A002 applies to equipment, the regulations defining ECCN 5D002
(encryption software) state that:
Note: 5D002 does not control:
* * *
b. "Software" providing any of the functions of equipment excluded from
control under the Note to 5A002.

As explained above, Integrated DNSSEC is implemented to provide only
authentication and integrity assurance mechanisms for the Internet DNS.
BXA has previously recognized that the TIS/DNSSEC implementation is "mass
market" software without "encryption item" ("EI") control.  See Attachment
3 (TIS-BXA 6002L).  Integrated DNSSEC is merely the already exportable
TIS/DNSSEC combined with the library that makes it functional to perform
authentication.

The application only provides the capability to authenticate.  It provides
no confidentiality capability to users.  There is no application for
general file or text encryption functionality.  While the application
contains cryptographic algorithms present within RSAREF, the application
contains no interface to RSAREF other than for authentication and test
purposes.  Integrated DNSSEC's interface to RSAREF encryption is limited to
the use of a DES function for protecting stored private
signature-generation keys.  No user access to RSAREF's encryption
capabilities is provided; the only uses of encryption for confidentiality
are within a restricted internal function protecting private keys used for
signature generation, and within a test scaffold that uses pre-selected,
known key values. Thus, the included library validation program is
incapable of meaningful encryption because it is deliberately crippled.

The basic exponentiation algorithm is of course capable of performing
encryption, but Integrated DNSSEC only uses it for authentication.  Any
software to perform secure authentication internally contains an encryption
algorithm that has the potential to provide confidentiality, so the
applicability of the authentication exemption should turn only on whether
Integrated DNSSEC functions to authenticate.

Thus, we believe Integrated DNSSEC contains no more encryption than is
needed for assuring authentication and integrity of Internet domain names
and addresses as specified by the IETF's DNS Security Extensions.

Because Integrated DNSSEC is "software" that has the functions specified in
ECCN 5A002 Note f. or g., we believe that Integrated DNSSEC is not EI
software within ECCN 5D002.  Therefore, it appears Integrated DNSSEC is not
on the Commerce Control List and is not subject to the EAR at all.

Some other classification may apply to Integrated DNSSEC.  We have been
unable to determine precisely which ECCN classification should be applied
to Integrated DNSSEC.  However, we believe the ECCN classification is
irrelevant in this case.  It is our understanding that because Mr. Daniel's
proposed activities of "export" consist of making the software publicly
available per 15 C.F.R. para. 734.3(b)(3)(i) and 15 C.F.R. para. 734.7(b), he
does not need a license.

We are aware that under the recently promulgated "encryption item" ("EI")
regulations, 61 Fed.Reg. 68572 (Dec. 30, 1996), EI software, i.e. ECCN
5D002, is not eligible for public availability treatment.  We believe that
these provisions do not apply to Integrated DNSSEC because it cannot be
used to encrypt and therefore is not "encryption software" within the
meaning of the EAR.  Inasmuch as the provisions above only refer to
"encryption software controlled under ECCN 5D002 for 'EI' reasons on the
Commerce Control List [CCL]," e.g., 15 C.F.R. para. 734.7(c), and
authentication software like Integrated DNSSEC is expressly excluded from
5D002 as explained above, it should be possible to make Integrated DNSSEC
publicly available under 15 C.F.R. para. 734.7(b).

We further note that, as outlined in the December CJR to State , Integrated
DNSSEC fell within specific ITAR exemptions for "access control," "data
authentication," and "malicious damage prevention" that have been in place
for several years.  This means that jurisdiction over software within these
exemptions was transferred to Commerce prior to the general transfer of
encryption items from the USML to the CCL by Executive Order 13026 of
November 15, 1996 (61 Fed.Reg. 58767).

This is significant because the EI regulations plainly state that the "EI"
reason for control "applies only to encryption items transferred from the
U.S. Munitions List to the Commerce Control List consistent with E.O. 13026
of November 15, 1996."  15 C.F.R. Part 774, Category 5.II., 5A002; see also
id. at 5D002.  Jurisdiction over software within the exemptions on which we
rely was transferred earlier; the March 25, 1996 recodification of the EAR
contains the enumerated exemptions.  See ECCN 5D002, Note ("5D002 does not
control . . . [s]oftware providing any of the functions of equipment
excluded from control under the Note to 5A002"), 61 Fed.Reg. 13005 (March
25, 1996); ECCN 5A002, Note ("5A002 does not control . . . access control
equipment [and] [d]ata authentication equipment . . . [that] does not allow
for encryption . . . other than that needed for the authentication"), 61
Fed.Reg. 13004 (March 25, 1996).  We again note that in June 1996, the ODTC
determined TIS/DNSSEC to be outside State's licensing jurisdiction.  See
Attachment 2.

Thus, Commerce had jurisdiction over such access control and data
authentication software prior to November 15, 1996.  Because Integrated
DNSSEC is access control or authentication software, there cannot be "EI"
controls on such software.  And, because all software other than EI
software can be made publicly available, Integrated DNSSEC can be made
publicly available.

It is our position, then, that Integrated DNSSEC is specifically excluded
from ECCN 5D002 by 5D002 Note and 5A002 Notes f. and g., or was subject to
Commerce Department jurisdiction prior to the President's actions of
November 15, 1996.  Either way, it ought not be subject to the provisions
of the new EI regulations that deny public availability treatment for
encryption software.  It follows that Integrated DNSSEC can receive public
availability treatment.

We therefore respectfully request that BXA provide a Classification Request
determination stating that Mr. Daniel's proposed distribution of Integrated
DNSSEC in source and object code form is not subject to the EAR.  If the
activities described in this Classification Request do not comport with
your public availability regulations, or if we have incorrectly interpreted
any of your regulations, please inform me of the errors and of what other
steps must be taken. I can be contacted at (510) 525-0817 (voice), (510)
525-3015 (fax) or tien@well.com (e-mail).

Sincerely yours,

Lee Tien

ENCLOSURES:

Form BXA-748P
Attachment 1:  Daniel CJ Req. (with TIS/DNSSEC description) and ODTC RWA
Attachment 2:  TIS/DNSSEC CJ Req. and ODTC letter
Attachment 3:  BXA forms re:  TIS/DNSSEC
Attachment 4:  floppy disk w/Integrated DNSSEC source code