Re: E, EROS export status -- answers Bill Frantz (frantz@netcom.com)
Thu, 20 Jan 2000 19:05:35 -0800

At 3:55 PM -0800 1/20/00, shapj@us.ibm.com wrote:
>Note that Bill Frantz and several others quite wrong in what the
>export regs control. Whether you certify or not, whether you do the
>documentation or not, a system that incorporates any of the orange book
>functionality specified above the B2 level is probably covered by export
>regulations. Last week, that meant that it was not exportable. This week
>the answer is different, as I shall explain in detail.

I believe that if a system does not incorporate enough of the Orange Book functionality to be rated at B2, it does not matter what things above B2 it does contain (e.g. secure restart). It is not export controlled. Specifically, KeyKOS without the KeySafe code described in Susan Rajunis' paper is not controlled because it does not have things like audit trails, access control lists etc. Do you disagree? 

Bill Frantz       | Internet Explorer, the     | Periwinkle -- Consulting
(408)356-8506     | hacker's path to your      | 16345 Englewood Ave.
frantz@netcom.com | hard disk.                 | Los Gatos, CA 95032, USA