[Cryptography] FIPS, NIST and ITAR questions

radix42 at gmail.com radix42 at gmail.com
Tue Sep 3 12:54:30 EDT 2013

--Alexander Kilmov wrote:
>--David Mercer wrote:
>> 2) Is anyone aware of ITAR changes for SHA hashes in recent years 
>> that require more than the requisite notification email to NSA for 
>> download URL and authorship information? Figuring this one out last 
>> time around took looootttttttssssss of reading.

>I used to believe that hashing (unlike >encryption) was not considered 


Its a common misconception. ITAR doesn't require a license or permit for strong hash functions, but for US persons require(d?) notification of NSA of authorship, contact email and download URL(s), at least in 2006 it did. Often observed in the breach as it were, but some need care more about the letter of the law than others. I'm mostly curious if that requirement has gotten more or less stringent.

Thanks, that NIST list looks like the one I need.

-David Mercer

David Mercer
Portland, OR

More information about the cryptography mailing list