none
Export restrictions on cryptography RRS feed

Answers

  • Hi Leszek,<o:p></o:p>

    The answer as to whether you need to apply or not really depends on what your application
    does and how you answer the questions posted in the MSDN page (
    http://msdn.microsoft.com/en-us/library/windows/apps/hh694069.aspx) that is referenced in the other thread. 

    Since export controls are a government regulation, the final authority rests with them and it is your responsibility to make sure you are complying with the regulations based on what your program does.  The MSDN page exists to help you determine whether you are covered by well-known cases or whether you need to research the regulations with the governing body in more detail.<o:p></o:p>

    According to that document, the first question asks whether you are using HTTPS, and you are, so your answer to the first question is "yes".  The follow-up question is about what you are doing in the context of the HTTPS
    connection; there are certain "unrestricted tasks" that don't require an ECCN.  This is something that only you know--because you know what your app does and what service it is calling and how it is using that service.<o:p></o:p>

    If your app is using HTTPS only for the "unrestricted tasks" in the list, then according to the document and the EAR regulations, you would answer "no" and you wouldn't need to apply for an ECCN.  If you answer "yes" then you would.  If you are unsure, then you really should check the "EAR Controls for Items That Use Encryption" (http://www.bis.doc.gov/index.php/policy-guidance/encryption) link to be sure.  Aside from how you list the app for the certification process, you would want to comply with the regulation.

    I hope this helps.  <o:p></o:p>

    Dan Ruder
    Microsoft Developer Support


    • Marked as answer by ata6502 Friday, October 18, 2013 1:35 AM
    Friday, October 18, 2013 12:21 AM
    Moderator

All replies

  • Hey Leszek,

    As it was outlined in the post you linked, without the web services that are being encrypted being defined first, I can not confidently say one way or another.

    For an immediate answer I would say yes, do peruse the ECCN.  I welcome any additional details from you or anyone else that my have knowledge on topic, and appreciate the post!


    - Robert

    Thursday, October 17, 2013 7:39 PM
    Moderator
  • Thanks Robert for your response! I appreciate your help.

    The web service I'm using connects to a Navision database using https. This is all what I know about the web service. From the description at MSDN it seems I will have to apply for ECCN. I just wanted to make sure - MSDN does not say clearly that it applies to web services invoked using https, it says about "using a secure communication channel such as NTLM, Kerberos, Secure Sockets Layer (SSL)".

    The reason I need a definite answer (yes or no) is that there are more people involved in this project and I can't provide an answer of type "it seems so" - it must be yes or no.

    Thanks,

    Leszek


    Wiki: wbswiki.com
    Website: www.wisenheimerbrainstorm.com

    Thursday, October 17, 2013 10:40 PM
  • Hi Leszek,<o:p></o:p>

    The answer as to whether you need to apply or not really depends on what your application
    does and how you answer the questions posted in the MSDN page (
    http://msdn.microsoft.com/en-us/library/windows/apps/hh694069.aspx) that is referenced in the other thread. 

    Since export controls are a government regulation, the final authority rests with them and it is your responsibility to make sure you are complying with the regulations based on what your program does.  The MSDN page exists to help you determine whether you are covered by well-known cases or whether you need to research the regulations with the governing body in more detail.<o:p></o:p>

    According to that document, the first question asks whether you are using HTTPS, and you are, so your answer to the first question is "yes".  The follow-up question is about what you are doing in the context of the HTTPS
    connection; there are certain "unrestricted tasks" that don't require an ECCN.  This is something that only you know--because you know what your app does and what service it is calling and how it is using that service.<o:p></o:p>

    If your app is using HTTPS only for the "unrestricted tasks" in the list, then according to the document and the EAR regulations, you would answer "no" and you wouldn't need to apply for an ECCN.  If you answer "yes" then you would.  If you are unsure, then you really should check the "EAR Controls for Items That Use Encryption" (http://www.bis.doc.gov/index.php/policy-guidance/encryption) link to be sure.  Aside from how you list the app for the certification process, you would want to comply with the regulation.

    I hope this helps.  <o:p></o:p>

    Dan Ruder
    Microsoft Developer Support


    • Marked as answer by ata6502 Friday, October 18, 2013 1:35 AM
    Friday, October 18, 2013 12:21 AM
    Moderator
  • Thanks Dan, this is a very helpful explanation.

    As I'm using cryptography only for password encryption, the answer to my question is "No, I don't have to apply for ECCN".

    Leszek


    Wiki: wbswiki.com
    Website: www.wisenheimerbrainstorm.com

    Friday, October 18, 2013 1:35 AM
  • Glad to help, Leszek.  Have a great weekend!

    Dan

    Friday, October 18, 2013 5:23 PM
    Moderator