Re: gcc Export Control ECCN number if covered under EAR

[Jeffrey Walton <noloader at gmail dot com>]

On Mon, Oct 26, 2015 at 9:11 PM, Farhat, Sam (GE Aviation, US)
<samgeorge.farhat@ge.com> wrote:
> Thanks for clearing that up.
> Online search was conflicting, some pages with emails indicated there is encryption code in libgcj, in this link:  https://gcc.gnu.org/ml/gcc/2006-02/msg00051.html
>
> Is that incorrect information?

If its *only* hashing as stated by the fellow Tom, then the answer is
likely NO, GCC does not need to self classify.

GCC can even use public key and secret/shared key algorithms as long
as its used for authentication *only*. There's also a "NLR" or "No
License Required" exception for public key and secret/shared key
algorithms algorithms < 64 bits (IIRC), but I've never seen anyone use
it.

However, as soon as the algorithm is used for *encryption* (and its
64-bits or greater), then a commodity product must self classify.

Also, GCC's (or even OpenSSL or Crypto++) requirements are easier than
commodity products using them. The only action projects like GCC,
OpenSSL and Crypto++ have to do is send an email to the Encryption
Coordinator (the email address and the Ft. Meade, MD mailing address
is the NSA, btw).

Commodity products would have to do more, like signing up for the
SNAP-R account, creating and uploading documentation, uploading
required forms, sending printed copies of the documentation to the
Encryption Coordinator via snail mail, etc.

(Sorry if I am speaking out of turn. I've been through the process four times).

Jeff