1 INFORMAL HEARING 2 - - - - - - - - - - - - - - - - x 3 In the matter of: : 4 APL9800007/Z066051/G006298 : 5 : PAGES 1 - 78 6 - - - - - - - - - - - - - - - - x 7 8 Hearing held at the offices of Department of Commerce, 9 14th and Constitution Avenue, N.W., Washington, D.C., 10 20230, commencing at 10:30 a.m., Monday, January 25, 11 1999, before Moderator Anstruther Davidson. 12 13 14 15 16 17 18 19 20 21 Reported by: ROBERT M. JAKUPCIAK, RPR 22 Page 2 1 A P P E A R A N C E S O F C O U N S E L: 2 FOR THE APPELLANT: 3 BY: LEE TIEN, ESQUIRE 4 1452 Curtis Street 5 Berkeley, Calfornia 94702 6 (510) 525-0817 7 8 FOR THE EXPORT ADMINISTRATION: 9 U.S. DEPARTMENT OF COMMERCE 10 BY: HOYT H. ZIA, ESQUIRE 11 THOMAS C. BARBOUR, ESQUIRE 12 14th & Constitution Avenue, N.W. 13 Washington, D.C. 20230 14 (202) 482-5301 15 16 P R E S E N T 17 Hugh Daniel 18 John Gilmore 19 Joanne M. Kelly, Esquire 20 James A. Lewis 21 22 Page 3 1 P R O C E E D I N G S 2 MR. DAVIDSON: All right. I would like to 3 welcome everybody to an informal hearing of an appeal 4 submitted by Mr. Lee Tien on behalf of Hugh Daniel. 5 This is Appeal Number 980007 or Z, as in Zulu, 066051 6 or G, as in golf, 006298. It's an appeal under 7 Section 756 of Export Administration Regulations and 8 appeals the propriety of a June '98 letter from 9 Mr. Jim Lewis revoking a prior commodity 10 classification of EAR 99 and issuing one of ECCN 5D, as 11 in delta, 002. 12 You have requested an informal hearing and 13 Mr. Reinsch, the Under Secretary, has granted the 14 request. The primary purpose for the hearing is for 15 you and Mr. Daniel to present any additional matters 16 for consideration that are relevant to the matter. 17 Neither side is required to present its case here, so 18 that applies on both sides. Anything that, for 19 example, was in your pleading or in your letter that 20 you don't talk about is still certainly relevant and 21 something that Mr. Reinsch would address. 22 My role is that of moderator. I am not Page 4 1 making the decision. Mr. Reinsch is making the 2 decision. I would suggest we go around the room -- 3 oh, and one final thing. Most of us know this but we 4 probably need to remember since especially in this 5 building we don't do that this much. We can only 6 speak one at a time because the court reporter can 7 only take down one person at a time. So if you want 8 to say something, sort of raise your hand, take a 9 breath and we will try to get you recognized. 10 To my left is Jim Lewis, who is the 11 Director of the Office of Strategic Trade and Foreign 12 Policy. 13 MR. LEWIS: How are you? 14 MR. DAVIDSON: To his left is Mr. Hoyt Zia, 15 who is the Chief Counsel for Export Administration and 16 is the primary legal advisor to the Under Secretary. 17 MR. ZIA: Good morning. 18 MR. DAVIDSON: And to his left is Mr. Tom 19 Barbour, who is an attorney in the Office of Chief 20 Counsel. Good morning, sir. 21 MR. BARBOUR: Good morning. 22 MR. DAVIDSON: To my right is Mr. Lee Tien, Page 5 1 the attorney who filed the case. And why don't I let 2 you introduce your client and anybody else. 3 MR. TIEN: I represent the exporter in this 4 case, Mr. Hugh Daniel, who is to my right, and to his 5 right at the table is Mr. John Gilmore, who is the 6 technical consultant. And then sitting outside the 7 table is Ms. Joanne Kelly of the McKenna & Cuneo law 8 firm, and she will primarily be observing. I will be 9 expecting Mr. Gilmore and Mr. Daniel to offer 10 technical details that I am unable to offer. 11 MR. DAVIDSON: Unless anyone has a question 12 or other matter, I would propose to allow you, let you 13 start and -- 14 MR. TIEN: Why don't you put your 12(c) 15 issue on the record. 16 MR. DAVIDSON: The other issue is that we 17 would normally not allow in the room someone who is 18 not the exporter or a legal representative of the 19 exporter, since we would presumably be discussing the 20 commercial and other proprietary affairs of the 21 exporter and of his equipment. Section 12(c) of the 22 Export Administration Act prohibits us from making Page 6 1 that public and we often speak of it as a right of the 2 exporter, although it's probably broader than that. 3 And as I said on the telephone, we have no 4 objection to the other people being in the room, but 5 we would never allow that if it were not acceptable to 6 you and your client. So I would like to indicate for 7 the record whether it is or is not. 8 MR. DANIEL: They are here at our request. 9 MR. DAVIDSON: Thank you. Go ahead. 10 MR. TIEN: I would like to thank the 11 Under Secretary and Mr. Davidson for giving us an 12 opportunity to respond to Mr. Lewis's letter on the 13 BXA reclassification. Let me begin by summarizing our 14 main point. And they are two, with some subpoints. 15 The first main point is about the technology and 16 policy surrounding authentication. As we all know, 17 the software in this matter is software for 18 authenticating the Internet, specifically domain name 19 security. 20 I will be talking about something called 21 DNS, and that refers to the domain name system, which 22 is kind of a traffic cop for information flowing over Page 7 1 the Net. Now, the two subpoints under there are first 2 that this kind of authentication requires some element 3 of cryptography, and the regulations as they are 4 currently written exempt authentication. 5 The second, as a general policy matter this 6 particular type of authentication, DNS security, is 7 something that the government has a public policy 8 interest in, as evidenced by the role of DARPA and 9 DISA in funding and attempting to productize DNS 10 security research products. And that as a technical 11 matter, and we can have Mr. Gilmore and Mr. Daniel go 12 into this in more depth, encryption is needed for the 13 particular authentication application here of DNS 14 security. And so let me summarize that point by 15 saying that there are reasons for the authentication 16 exemption that currently exists. 17 My second point is more of a legal point 18 and I'm going to start at the same place, which is 19 that authentication is exempt from encryption item or 20 EI controls. And the regulations are clear on this. 21 The regulations recognize that authentication contains 22 encryption and this is a matter of long standing. Page 8 1 Openly, at least since April 1992, when the 2 ITAR recognized the authentication exemptions, 3 these -- there has been this line between, in quotes, 4 encryption and authentication. And we believe that 5 the key here in understanding authentication exemption 6 is that it focuses on what the item is designed to do. 7 And for short I sort of think of this as the "as is" 8 principle. 9 And for this reason, and I will go into 10 this in more detail later if necessary, our position 11 is that the initial classification of integrated 12 DNSSEC, the software in this case, was correct, it was 13 authentication software. 14 Now, the subpoint under this is that on the 15 second review of the software, which found it to be an 16 encryption item subject to EI controls, BXA applied a 17 different standard, did not apply the standard stated 18 in the regulations. Rather, it focused on what the 19 software could be if it were modified by someone else. 20 This is, we argue, ultra-vires action. The 21 standard needs to be in the regulations. Second, it 22 undermines the authority of the written regulations Page 9 1 and the policy behind them, which recognizes that 2 authentication requires encryption. And this is again 3 especially true for the DNS security situation. 4 Third, the standard that's actually used in 5 the -- on the second classification, which is that, I 6 call it modifiability or easy modifiability, is 7 unworkable and if it were left in the current form it 8 would be vague. 9 There is a general principle that we should 10 construe statutes and regulations so as not to render 11 any language in them superfluous. And the problem 12 with this construction is that it would essentially 13 swallow up the authentication exemption. 14 And finally, we believe that there is a due 15 process problem. Certainly, we do not say that BXA 16 lacks the authority to promulgate the standard, but it 17 should be done in a procedurally fair fashion. You 18 need to have clear and consistent rules and 19 application of rules. 20 Agencies are bound by their written 21 regulations. It would be good for exporters if the 22 agency followed due process, because under the EAR Page 10 1 self-classification is encouraged and exporters need 2 clear rules in order to do that. But as we know, 3 there is strict liability for civil violation of EAR, 4 and that will make it very difficult for 5 self-classification to occur. And on the other hand 6 we think it would be good for the agency because what 7 we have here is a situation where BXA is undermining 8 its own written regulations and the legitimacy of the 9 process is something that encourages compliance. When 10 significant changes are going to be made in the 11 regulations, as we believe this would be, then doing 12 so ultimately will enhance the legitimacy. 13 And finally, whereas traditionally most of 14 these kinds of decisions are not subject to judicial 15 review, we believe that under the IEEPA there 16 is a potential for review of this kind of decision. 17 So let me summarize just by saying that 18 there is no such thing as a perfect rule, but today's 19 written regulations are pretty good. They have been 20 essentially unchanged since 1992. There is no reason 21 to depart from them. I think that the standard 22 enunciated as a reclassification of the software works Page 11 1 a significant change and that should not occur without 2 an open process of actually changing them. 3 That concludes my summary. I would like to 4 ask either Mr. Gilmore or Mr. Daniel to talk a little 5 bit about the technical aspects of why authentication 6 is integral to domain name security. 7 MR. DANIEL: The Internet is growing and 8 growing at quite a great pace and we are all coming to 9 depend on it more and more. There is a fundamental 10 mapping that happens out there between human named 11 space and computer number space, and this mapping is 12 done via the domain name system that converts names 13 that all of us use into the numbers, the addresses, 14 like 1909 Main Street, that the computers have to use 15 to communicate with each other. 16 Right now that entire system is open to 17 being messed with by people with appropriate skill. 18 Anyone who wants to can go grab a piece of the main 19 name space, and they don't have to do this obviously. 20 They can do it very subtly. They can say simply get 21 the numbers from me and hand out perfectly valid 22 numbers for maybe all but one address and for that one Page 12 1 address it's not even clear to most users or even 2 sometimes to experts like me that I'm getting a bogus 3 number, because they can take all the packet data for 4 that valid other end of the communication, look at it, 5 maybe modify it, maybe not, and then pass it on to the 6 other end, and the other end is none the wiser because 7 it can fake my address to the other end. This is 8 called the man in the middle attack. 9 Currently the entire Internet is open to 10 this and it's not something that can be fixed in any 11 one place. The entire Net has to be fixed because 12 somebody sitting in Egypt could literally do this for 13 me in looking up regulations on the BXA site from 14 California to Washington. 15 The way this is fixed is with something 16 that the IETF is actually done designing and now we 17 are trying to deploy called domain name security, 18 where we use the art and techniques of authentication 19 to make certain that the name to number mappings are 20 what they claim to be. So that when I'm working with 21 say deposits.citibank.com, I'm really getting 22 deposits.citibank.com directly and not say Page 13 1 deposits.medellin.cartel. 2 This is the technology we are trying to get 3 out and trying to get deployed. I want my Net to be 4 solid and secure and I want to use it just as easily 5 to send love letters or to look up regulations or to 6 do business with my government. That is not going to 7 be doable in the future if the domain name system 8 stays as vulnerable as it is now. 9 MR. DAVIDSON: Excuse me. Can I ask a 10 question at this point? 11 MR. DANIEL: I was done. I was trying to 12 make it quick. 13 MR. DAVIDSON: Thank you. You did. Two 14 questions. The vulnerability is in up-loading the 15 domain name information, the translation between the 16 domain name and, I guess, the IP address? 17 MR. DANIEL: That's correct. 18 MR. DAVIDSON: Or is the vulnerability once 19 they are up-loaded somewhere in the stream someone 20 misdirects, if I'm using the right word, and I may not 21 be, the request for data between the user and the 22 server? That's the question, right, if I -- Page 14 1 MR. DANIEL: In actuality it's both. 2 MR. DAVIDSON: And is your software 3 designed to address both? 4 MR. DANIEL: The second answer is yes and 5 no. The first answer is that you have to -- whenever 6 a user types in an address, like 7 deposits.citibank.com, that address has to be looked 8 up and several computers along the chain are involved. 9 The DNS itself is a distributed database system. It's 10 actually rather unique in networking technology. 11 Pieces of it are kept all over the place, because if 12 you had to go to a central repository for that bit of 13 information you would have to wait long amounts of 14 time. And whenever that central repository was down 15 or overloaded you would not get the data you were 16 looking for. 17 So the data in the DNS is distributed 18 around the many nodes of the hierarchical system so 19 there is both a storage in all the remote places where 20 pieces of the database are kept and there is the 21 fetching of the data. Each one of those nodes uses 22 the DNS system to get the data from further up or down Page 15 1 the hierarchy. 2 MR. TIEN: Can we think of it as a big 3 distributed phone directory? Is that an unreasonable 4 analogy? 5 MR. DANIEL: No. No. It's more like the 6 neuro-mapping system in a human body. Because no, a 7 phone directory, if you get it wrong you call up and 8 say, hi, is this Joe's Garage? And they say, no, this 9 is Joe's Cleaners. This is more integral to the 10 operation of the Net than that. 11 MR. DAVIDSON: Let me -- 12 MR. TIEN: I don't think we -- did we -- 13 MR. DANIEL: There was a second part of 14 your question I think and I'm spacing what it was at 15 this point. 16 MR. DAVIDSON: I probably didn't ask the 17 question exactly right. I guess I'm a little bit 18 interested -- I think I sort of understand the domain 19 name system. I probably have some mistakes. Where 20 does the authentication occur? What is the packet of 21 data that you are authenticating? 22 MR. DANIEL: Give John a shot. Page 16 1 MR. GILMORE: Why don't I try this. The 2 way DNS security is designed, the person who 3 originally puts the data into the system, who owns it, 4 basically signs it with a private key known to them. 5 And so, for example, BXA would hold its own data and 6 sign that. And then as that data propagates around 7 the network that signature is checked at each point. 8 So the software that we were actually 9 trying to publish only checks it at intermediate 10 servers. So, for example, at my machine, say my 11 laptop wouldn't check it but the server in my house 12 would check it. 13 Eventually the software will be set up so 14 that it gets checked all the way end to end but we 15 don't have all of that written yet. 16 MR. DAVIDSON: So the major thing it 17 authenticates is that the IP address that correlates 18 to the bxa.doc.gov always stays -- and when that gets 19 replicated through the domain name system that they 20 stay the same? 21 MR. GILMORE: Right. Unmodified. 22 MR. DANIEL: So the address and the name Page 17 1 stay the same and are checkable from whatever the 2 owner entered it as. 3 MR. TIEN: If I try to pretend to be 4 bxa.doc.gov, they will look and say, whoa, that's not 5 signed with your key so we reject it. 6 MR. DAVIDSON: Or you try to up-load to the 7 domain name server someplace that -- all right. I 8 understand. Thank you. If you were finished or if 9 you have anything else? 10 MR. GILMORE: I guess I had one other thing 11 to say. People have known about this vulnerability on 12 the Internet for maybe ten years. It's been known 13 theoretically, but it actually happened more than a 14 year ago. There was someone who was upset with the 15 monopoly of Network Solutions over issuing domain 16 names, a guy names Eugene Kashpureff, who wanted to 17 start up a competing business and he was in Canada and 18 one day he sent the wrong information to about 5,000 19 domain name servers, sort of he picked a good 5,000 20 and sent bad information to each one of them that 21 redirected www.internic.net so it would come to his 22 web page instead. Page 18 1 This was all covered in the New York Times. 2 He ended up being the subject of a criminal 3 prosecution for it and, you know, it was a serious 4 problem. It woke a lot of people up to the 5 vulnerability and increased the urgency of actually 6 getting the domain name security deployed. 7 MR. DAVIDSON: Let me ask another question 8 then along that line. The software in issue here was 9 in source code? 10 MR. TIEN: That's correct. 11 MR. DAVIDSON: That's one of the big 12 issues. For the purpose of protecting the Internet 13 and addressing the concerns you raised, what would be 14 the utility of having the software available in object 15 code, in uncompiled -- or compiled form? 16 MR. DANIEL: Compiled form. The utility, 17 it would be useful for people who happened to have 18 that rev of software operating system would run that 19 binary, but it would not be useful in the general 20 case. There are too many different machine types. 21 Remember, we are talking about servers here 22 that handle the intermediary data and it's not like Page 19 1 Windows where Bill Gates has a monopoly and 99 percent 2 of the machines are this. The machine types are 3 spread between different CPUs and different operating 4 systems, et cetera. 5 Also, the software that we were doing was 6 specifically designed as a first pass, as research, 7 you know, how do you make this work. And we need to 8 get people in there figuring out what are the problems 9 with making the system work widely deployed. And 10 doing that with binaries is -- well, a binary would 11 not encourage this work that needs to happen. 12 MR. DAVIDSON: So you were not just asking 13 people to download it, you wanted to collaborate with 14 them and seek their -- 15 MR. DANIEL: Right. Manufacturers of these 16 class of systems worldwide, in England, in Japan and 17 places like this that we work with need to include 18 this software in their systems and they need the 19 source for DNSSEC to do this. 20 MR. GILMORE: I guess I would also add, the 21 network will only really be secured when the secure 22 version of DNS comes in each product. When it comes Page 20 1 as part of Microsoft Windows, when it comes as part of 2 NT, when it comes as part of the HP operating systems 3 and DEC's operating systems, et cetera. None of those 4 vendors would take a binary that they can't maintain, 5 they can't fix other bugs in. 6 The security is only a small part of this 7 applications. It's a distributed database and large 8 parts of it, you know, are unrelated to the security. 9 Those parts are still, still need evolution. They 10 still have plenty of bugs. And vendors need to have 11 access to the source code to work on fixing those and 12 evolving it to meet the needs of the future. 13 MR. DANIEL: And if I might add, you 14 don't -- in serious computer security you don't trust 15 things that you cannot examine. It's not security if 16 someone says it is. It's security if you can pore 17 over the actual source code and prove to yourself it's 18 secure. 19 MR. DAVIDSON: Okay. Thank you. Do you 20 have anything else? 21 MR. TIEN: Yeah. I went on for a long time 22 and that was actually just a summary, so -- Page 21 1 MR. DAVIDSON: Okay. Go ahead. 2 MR. TIEN: But I will probably cut down 3 what I was going to say because some of it is a little 4 long and John and Hugh have talked a lot about the 5 technical stuff. I want to review the background of 6 why we are here today and we are here today because 7 BXA changed its mind about what the software should 8 be. And on this I'm going to -- our position, of 9 course, is that the original classification was 10 correct and the reason why it was correct is because 11 it fit within clear language of the regulations and 12 here I'm referring to 5A002, notes F and G, which 13 relate to authentication for access control and 14 authentication, as well as data authentication, 15 calculating message authentication codes. And both of 16 those exemptions recognize that cryptography is going 17 to be present within those kinds of applications and 18 would permit that software or hardware to be 19 considered authentication even with the presence of 20 cryptography so long as the application doesn't use it 21 to encrypt for confidentiality and only for 22 authentication. Page 22 1 And there is a third exemption, and I'm not 2 actually sure of its status under the current EAR, but 3 under the old ITAR from 1992, software that protects 4 against malicious damage to computers, such as 5 viruses, would also fall within the authentication 6 category. And in the various revs to the EAR under EI 7 controls this virus thing was moved around. 8 Currently they took it out, but I think 9 that the philosophy behind it is consistent with what 10 we have been talking about, which is that this is an 11 application that serves the function of not just 12 protecting a particular computer but the Internet 13 itself from malicious damage, such as the case 14 mentioned. 15 MR. DANIEL: Actually, I would comment that 16 I don't believe he did malicious damage in the sense 17 of damaging anyone. 18 MR. TIEN: Okay. He certainly disrupted 19 things greatly. 20 MR. DANIEL: Actually, he only disrupted 21 the people who thought they were in control of that 22 space. All the users downstream from him got the data Page 23 1 they expected, they just didn't have any way to prove 2 it. 3 MR. GILMORE: No. Actually, when he 4 redirected it they got a different web page and the web 5 page included a diatribe about how they shouldn't 6 register names with Network Solutions. 7 MR. DANIEL: For all but the one site. 8 MR. TIEN: So in any case, I see that the 9 software in this case, that it can clearly be fit into 10 those exemptions and, therefore, there is no 11 difficulty with BXA's original classification. 12 Now let me turn to the second part of the 13 story, which was the reclassification. Now, as we all 14 know, that reclassification was apparently triggered 15 by the raising of an apparent inconsistency in BXA's 16 treatment of software of Mr. Karn's diskette in the 17 Karn case and the software here. And what I -- or 18 what I would like to say to that is I think that, that 19 the government could have responded in that case by 20 resting on the language of the regulations. That is, 21 the software on Mr. Karn's diskette was not the 22 software at issue in this case. Page 24 1 Integrated DNSSEC is not RSAREF. RSAREF is 2 a part of it, but they are different applications. 3 And the application at issue here is authentication 4 application. And it would I think have been very 5 reasonable and consistent with everything in the 6 written regulation to simply say you are comparing 7 apples and oranges here. One is authentication and 8 one is not. 9 Unfortunately, that's not how it turned 10 out. And what we have instead is an attempt to 11 produce a consistency by I think departing from the 12 regulatory language, which does look at items as they 13 are, and focusing too much on the items as they could 14 be. 15 Now, there is two possible tracks here. I 16 think Mr. Lewis's declaration to some extent implies 17 that the reclassification of the software was based on 18 new information, and while it might have been new in 19 one sense, as the person who wrote the classification 20 request, I want to emphasize that we did not in any 21 way hide what was in the software. 22 We were very clear about what it contained. Page 25 1 We were very clear that we wanted to get a 2 classification for it in source code form. And that 3 was why we -- and we, in fact, provided the source 4 code on diskette to BXA for its technical review. We 5 were not interested in trying to -- to be anything but 6 up-front. 7 So on this record, I think given that BXA 8 did not have, really have new facts for it to 9 reclassify the software, our position is that the only 10 reason for reclassification is a change in the law as 11 applied to those facts. And we believe that that is 12 the problem here. 13 Now, I will not belabor the applicability 14 of the exemptions or the language of the regulatory 15 exemptions for authentication any further. What I 16 want to move on to is the standard that was used on 17 reclassification. And that standard was what I have 18 called modifiability or easy modifiability. I 19 believe Mr. Lewis's specific words were something like 20 with minimal programming effort or with programming 21 effort. 22 And this poses a number of problems. And Page 26 1 the first and most obvious is the ultra-vires problem, 2 that this is not the written standard. And I have 3 talked about that a lot already so I will go on to the 4 next one. 5 And the next one is simply that this 6 standard would probably swallow up the authentication 7 exemption at least for any kind of authentication 8 software. First, there is no authentication function 9 without some encryption. We have talked about that 10 already. BXA recognizes this in the regulations, 11 which specifically mention that these applications can 12 have encryption. 13 Well, in software it's always possible to 14 modify the program. So if the rule is going to be 15 modifiability, then all authentication software is 16 going to be crypto software for the purposes of the 17 regs, and that will destroy the exemption. And as a 18 policy matter, as I have already said, that would be 19 unwise. 20 As a legal matter, it is not what the 21 regulations say. As a matter of construction, it's an 22 unreasonable way to read the regulations so as to Page 27 1 render the authentication exemption superfluous. 2 Next, we would argue that the standard as 3 articulated is essentially unadministrable or 4 unworkable and to the point that it would, if applied 5 in its present form, be legally vague, 6 unconstitutionally vague. It is -- it sweeps very, 7 very broadly. Once you say that the issue is can you 8 change the thing and not how is the thing designed 9 today, you have opened up an enormous can of worms. 10 I can't even really begin to say how one 11 might attempt to define the scope of that standard 12 once you actually tried to do it. I think Mr. Lewis 13 tried to do that in the notion of easily, but I think 14 that that doesn't work because you still have to 15 define easy. Easy for whom? All these sorts of 16 issues. And we have seen these issues before in the 17 encryption context with the problems of crypto-shaped 18 holes and they raised the same kinds of issues. 19 Now, having said that it is that we believe 20 that it is unworkable and would be vague, then I think 21 the final point is to go to the due process issue. 22 And you know, we -- our position is that right now we Page 28 1 have a relatively clear rule. It's tied to the 2 software as it's designed. What does it do? 3 To go away from that is to work a very 4 significant change in the regulations, and I am 5 concerned that it would not only be a significant 6 change for this particular area of regulatory 7 interpretation, but that it would affect the use of 8 the notion of designed and modified throughout the 9 EAR. 10 The idea that something is -- and that is 11 the regulatory language that appears throughout the 12 regulations, that something is designed and modified 13 to do X, and in general we are talking about the 14 function of the item as it comes to us. 15 Once you start breaking away from that you 16 are going to have considerable ripple effects I think 17 in the higher administrative machinery. I will bring 18 up, I mentioned this before, and we have seen a notice 19 for inquiry involving the definition of the term 20 specially designed, which is not directly relevant in 21 this case, but I have reviewed the comments on that 22 and it is -- and I believe the same sort of issue Page 29 1 comes up. 2 You have a much longer history with 3 specially designed running back to the '50s, which is 4 a really long time. But it's stable, it is basically 5 workable, and there is no need -- there is no need to 6 introduce uncertainty there. 7 Here we have a standard that, that at least 8 dates from 1992, possibly earlier in an unwritten 9 sense as to what authentication is, how this is going 10 to be handled. Six or seven years is I think a pretty 11 long time in the encryption area for some kind of line 12 to be drawn. There is an understanding of it. I 13 don't -- I see serious problems with changing it and 14 there are ripple effects. 15 From a legal standpoint, agencies are bound 16 by their own regulations, and the BXA clearly can make 17 changes to the rules but they did constrain them in 18 discretion when they created the rules covering the 19 present authentication exemptions. If you want to 20 change that, you should go through an open process. 21 I think one of the problems is, has been 22 the traditional unreviewability of the BXA Page 30 1 item-specific types of decisions. But I think that in 2 the end this, although this may give an agency a 3 certain sense of freedom at one level in dealing with 4 individual exporters, I think in the end it is 5 unproductive. 6 We believe that BXA would be sacrificing 7 the long-term legitimacy of the export rules for a 8 small short-term gain. And I think primarily with 9 respect to the litigation in the Karn case, I don't 10 believe that this is even a short-term gain with 11 respect to this particular software because it was 12 lawfully published after we received the initial 13 classification. It was available for a significant 14 period of time without restriction. It is overseas 15 and we don't think that the short-term benefits of 16 deeming this to be encryption software with the 17 collateral -- outweighs the collateral damage to the 18 scheme as a whole, and certainly to the policy 19 importance of -- of that formation for DNS security. 20 The arbitrariness of making a small change 21 for one person that is actually a significant change 22 for the meaning of the regulations is something that Page 31 1 will undermine the legitimacy of the BXA control 2 regime. People are encouraged to follow a system that 3 they perceive to be fair and reasonable, even if it is 4 not exactly what they want it to be. Because we all 5 recognize that systems are not perfect. But when you 6 tinker at the margins in order -- in such a way as to 7 undermine the overall legitimacy, you create a serious 8 problem. 9 So I'm going to conclude by saying that 10 there are no perfect rules, but this is pretty good. 11 And the standard that was used for this software is 12 one that is significant and at the very least if it's 13 going to be adopted must be done so in an open fashion 14 with public input on the record because otherwise you 15 are going to have serious problems in the general 16 scheme of regulations. 17 MR. DAVIDSON: Anyone over here want to say 18 anything? 19 MR. LEWIS: My thought was that the intent 20 here was to get us to take a second look at this 21 reclassification, so I wondered if you could describe 22 for us what it is that's in the product? If you could Page 32 1 describe that in some detail, that would be helpful. 2 MR. DAVIDSON: This is the -- 3 MR. LEWIS: In the product you are asking 4 for declassification. This is better than written. 5 MR. TIEN: I certain am not going to try to 6 answer that. 7 MR. LEWIS: Tell us what's in the product. 8 What is it comprised of? 9 MR. DANIEL: Maybe from your point of view 10 it's comprised of three basic blocks. The first block 11 is a traditional DNS server system that is run on 12 server computers that know how to participate in the 13 hierarchy of DNS-distributed database systems. This 14 technology has been deployed since sometime in the 15 '80s, mid to late '80s. 16 It was then modified via contract from the 17 U.S. government by TIS to include -- this is for us 18 the critical part -- the software modifications to DNS 19 to implement DNSSEC, DNS secure systems. 20 MR. LEWIS: Is this still on the first 21 block? 22 MR. DANIEL: Well, that's the second block. Page 33 1 There is the old stuff, there is the new stuff and 2 there is a library. Give it that overview. So the 3 new stuff is the ability to take a segment of data, of 4 pairs of information like a DNS name and a DNS -- or 5 an IP address and then sign those. And the signature 6 is simply a crypto hash that if the two things above 7 when processed by the right math don't add up to the 8 crypto hash, then you have bogus data. 9 So TIS wrote that software and that's what 10 makes it DNSSEC. And then you add in the RSAREF 11 library that actually does that mathematical test for 12 you, which is all we use it for, and that's the last 13 of the three parts. 14 MR. LEWIS: Okay. 15 MR. DANIEL: I will point out, I guess, 16 that if you can't actually do the math that says that 17 these two numbers or, you know, this DNS name and this 18 IP number equal this crypto hash, if you can't do that 19 math, there is no security. If you don't have that 20 last step there there is no reason to bother doing any 21 of this. 22 MR. LEWIS: And that's the application you Page 34 1 use the RSAREF library for? 2 MR. DANIEL: Yes. Well, there is also the 3 generating of the key pairs originally, and the 4 signing of the data and stuff like that. There is a 5 lot of ancillary things that go with this. 6 MR. LEWIS: Okay. 7 MR. DAVIDSON: Let me ask a question here. 8 I'm trying to phrase it intelligently. Is it correct 9 or incorrect that the library you spoke of could be 10 used to encrypt text data for confidentiality, as the 11 licensing authorities have said in this case, 12 versus -- do you disagree on a technical matter as to 13 the ability to take this, the source code for this 14 package, out of the program and use it for more than 15 authentication? 16 MR. DANIEL: The mathematics for doing 17 authentication and encryption is the same. So 18 mathematically anything that can do encryption -- 19 excuse me -- can do authentication can also do 20 encryption. So any piece of code, be it binary or 21 source, you can pull out and make do the other. 22 MR. GILMORE: But as the product was Page 35 1 created and as we intended to export it, there is no 2 way for a user to access that functionality. If they 3 just build the product, install it, there is nothing 4 that they can do that will encrypt text data for 5 confidentiality. 6 MR. DANIEL: Even more so, the entire DNS 7 protocol that we are working with on the security DNS 8 protocol, the modern version of it, nothing in there 9 can be transmitted encrypted. The protocol that 90 10 percent of the software implements or more does not 11 have a place for encrypted communications. So it 12 would take an expert level programmer to go in and rip 13 out the parts, the mathematics in the bottom that does 14 authentication and make it do encryption. But that 15 would be no different than given to a binary more or 16 less. 17 MR. TIEN: There is no secret button in 18 there that allows you to turn it around to use it for 19 something else. It is to the maximum extent possible 20 under our constraints tied to the authentication. 21 That's what it does. 22 MR. LEWIS: Could you perhaps describe that Page 36 1 in a little more detail, including the way there is no 2 way for the user to access, just in some more detail? 3 That would help us. 4 MR. DAVIDSON: And excuse me. Before you 5 answer, at least for me, do whatever you want, but if 6 you feel it relevant, differentiate between the 7 ultimate compiled program and the source code on that. 8 The question I would guess, maybe the answer is 9 different, maybe it's not. Go ahead. 10 MR. TIEN: John, why don't you. 11 MR. DANIEL: Yeah, I'm not certain how I 12 would answer your question. 13 MR. DAVIDSON: If my question is wrong tell 14 me. But I thought Mr. Gilmore's comment a minute or 15 two ago was something which I don't believe there is 16 any disagreement over, that you can compile the 17 program, you put it on the server and you use it, but 18 it has no capability of encrypting data for 19 confidentiality. I don't understand that to be the 20 issue here. 21 I think the concern is with the source code 22 and taking the module or whatever out of the source Page 37 1 code and then putting it in something else and 2 compiling that and then having a piece of software 3 which will encrypt data for confidentiality. I'm 4 sorry. Did you want to say something? 5 MR. GILMORE: Sure. It's certainly 6 possible for an expert programmer to sort of take a 7 piece of this and build some scaffolding around it and 8 create something that would do encryption, but I think 9 it takes a similar level of effort -- there are many 10 other ways that they could do the same thing, 11 including ways that involve taking nothing out of DNS 12 Security, just using standard textbooks in the field 13 to do the same thing, for example. 14 So I guess having this library in the 15 source code in a sense makes it, you know, makes 16 another path that people could use to produce software 17 that encrypts texts for confidentiality. But I don't 18 think it significantly increases the likelihood of 19 that happening. I think if people want to encrypt 20 text for confidentiality outside the States there are 21 ample ways for them to do that. 22 MR. DANIEL: This is not a simple nor a Page 38 1 straightforward way of going about getting 2 confidentiality. 3 MR. LEWIS: Are there things built into the 4 product that make it more difficult or that affect the 5 ability to do that though? Is there any modification 6 or feature of the product that -- 7 MR. DANIEL: By contract we cannot modify 8 the RSAREF library in any way, shape or form. 9 MR. LEWIS: That's a contract with RSA? 10 MR. DANIEL: That's RSA's licensing with 11 everyone. 12 MR. TIEN: Intellectual property. 13 MR. DANIEL: So there is nothing we can do 14 at that level to change things. It's certainly not 15 easy to make it work even right. That's why this is 16 cutting edge and not easy for everyone to do, because 17 this is a hard problem. 18 MR. ZIA: The next question is is there a 19 difference, just so I understand, of how programming 20 works? Which is probably more basic than probably 21 anyone else on this side of the table. But I 22 understand why you want to allow user access to source Page 39 1 codes so they can modify it to fit the application 2 that they are using, because one size doesn't fit all. 3 And you talk about there being a 4 requirement or rather that an expert programmer could 5 probably rip the RSAREF piece away. But at what 6 level, I guess, of programming skill is required just 7 to modify it to fit a regular application that someone 8 has? Don't you have to have -- doesn't that require 9 more of this expert level in order to use the source 10 code to modify it to, you know, whatever application 11 you want to use it for? Do you understand my -- 12 MR. DANIEL: You have to write the 13 application and if you are going to write the 14 application there are better, newer, faster, cleaner 15 public domain versions of the same mathematics 16 available worldwide written by non-U.S. citizens that 17 if you use you won't have a pile of RSA lawyers 18 running on your doorstep charging you with 19 intellectual property theft. 20 MR. ZIA: My point is the person who would 21 be able to use the source code would have to be on an 22 expert level so wouldn't the person be able to figure Page 40 1 out a way to pull out the RSAREF? I mean, are you 2 saying at one level a person -- sort of a day-to-day 3 person who has a lot more knowledge than I have but 4 not qualified or knowledgeable enough to take the next 5 step? 6 MR. DANIEL: It takes a fair amount of 7 paranoia and experience to do any crypto-related 8 programming for authentication or privacy and, yes, 9 you could take a lower level person out there and have 10 them, you know, try to rip a library out of something 11 like integrated DNSSEC and put it into an application 12 to provide privacy and there is maybe one chance in 30 13 that it will be properly done and provide privacy 14 unless you have got someone who is really aware of all 15 the various problems there are using crypto 16 mathematics. 17 MR. TIEN: If I could restate that. There 18 is a difference between being good at programming and 19 being good at information security. There is a big 20 difference. You could be a really, really good 21 programmer and be able to code your way all around 22 that thing, but that doesn't mean that you can build Page 41 1 an application that is actually going to encrypt well 2 the way that people want to use it. They are really 3 two different things. 4 MR. DANIEL: I guess maybe I can expand on 5 this by pointing out that you will notice that the 6 RSAREF is a small library that we use actually for a 7 minuscule amount of time that the application is 8 running, just to run the mathematics that we have to 9 have to get the authorization. Most of the rest of 10 the time the program is doing other things. 11 This is -- the same is also true for other 12 applications. So if you were to do a privacy 13 application, you know, rip out this library from a 14 certain PGP or someone like this, most of the work is 15 doing this other stuff all of the time and actually 16 most of the security is also coming from other places. 17 Where do you get the random numbers? Where do you get 18 the protocol word? Much the same as for secure DNS. 19 It's the protocol design, it's the where are these 20 numbers coming from, are they generated properly, et 21 cetera, et cetera. 22 MR. TIEN: And one of the things -- I mean, Page 42 1 Hugh and John were the programmers here, will I think 2 with some precision continue to refer to RSAREF as a 3 library. What it is -- RSAREF is not, as I understand 4 it, an application. It -- 5 MR. GILMORE: Correct. 6 MR. TIEN: It is a bunch of sub-routines 7 that do the mathematical function, the exponentiation, 8 and various other, that somebody else doesn't really 9 understand, but it's like having little smart agents 10 that can crunch certain kinds of odd numbers and do 11 certain kinds of mathematical tasks for you. But you 12 still have to line them up the right way. You have 13 to -- I mean, all that is involved in an encryption 14 for confidentiality is how you use those sub-routines, 15 not the sub-routines themselves. 16 MR. LEWIS: What would happen to the 17 product if you took the RSAREF out of it? 18 MR. DANIEL: It would continue to function 19 as a DNS server in all respects but security. At that 20 point it would not be able to test the mappings 21 against the crypto hashes within it and you would have 22 no idea if you were talking, as I said in my earlier Page 43 1 example, to deposits at Citibank or deposits at 2 Medellin cartel. There would be no way to tell. 3 MR. LEWIS: Okay. 4 MR. DANIEL: So the authentication function 5 disappears entirely when you take out that math. 6 MR. LEWIS: Got it. 7 MR. ZIA: One of the earlier questions 8 about -- you had said that there is no way to modify 9 the software to protect against the RSAREF without 10 breaching, violating the agreement to use the library. 11 I'm wondering if there is an alternative way to 12 building the -- without modifying the library itself, 13 building a stronger cage, something with bars around 14 it to protect from people that have the capability or 15 making it more difficult for them to try to break 16 through and steal that part of it. 17 MR. GILMORE: I guess I can speak to that. 18 MR. TIEN: I'm not going to. 19 MR. GILMORE: The DNS part is already a 20 cage around it effectively. We could build another 21 internal cage inside the cage, but I think that the 22 position the department is taking is that it doesn't Page 44 1 matter how many layers of cages there are if you can 2 just let the animal out and reuse it somewhere else. 3 In source code it's hard to put a cage around a 4 particular function. 5 MR. DANIEL: In the source of binary I can 6 still go through the cages because at some point my 7 CPU has to execute those instructions. 8 MR. GILMORE: As it turns out, one of the 9 problems, the intellectual property licensing on 10 RSAREF was one of the problems with this software. It 11 only permits non-commercial use. The RSA library only 12 permits non-commercial use. And this would have 13 prevented widespread deployment of DNS Security. 14 TIS used that library because it was 15 convenient as they were in the research phase. But I 16 ended up negotiating a license with RSA that permits a 17 different library to be used called DNSsafe that is 18 tailored specifically to the requirements of DNS 19 Security and removes all -- anything other than that, 20 and negotiated with them a worldwide license to permit 21 both commercial and non-commercial use. 22 Now, we negotiated that license more than a Page 45 1 year ago and we have that software available but we 2 got hung up at the RSAREF level with actually trying 3 to integrate this into the regular DNS maintenance 4 process, because it's -- because of the department 5 contending that it's not exportable. 6 DNS maintenance happens worldwide. There 7 is an collection of people, a mailing list. The 8 server itself is called BIND, the Berkeley Internet 9 Name Daemon, and there is a list called BIND-workers of 10 people who work on it intensively and it has about 400 11 people on the list and these people are all scattered 12 around the world. They go through new releases of the 13 software every month or a couple of weeks, try it on 14 their machines, make sure that it's all working, send 15 back in any local changes that are required and 16 gradually work as a team to produce stable, solid 17 releases that then go out to the vendors, to the main 18 user community. 19 Those people basically were not able to 20 touch the software because of the export uncertainty 21 around it. They couldn't add the security features. 22 And so part of -- well, we had two issues there. We Page 46 1 had the intellectual property problem that it only 2 permitted non-commercial licensing and we had the 3 export. So I negotiated the license with RSA to deal 4 with the intellectual property problem and Lee and 5 Hugh had filed the request to clear up the export 6 uncertainty and when we got here in '99 we thought 7 that was all cleared up but then further complications 8 have made it uncertain. 9 MR. LEWIS: Go ahead. 10 MR. TIEN: I just wanted to add one quick 11 point, because I think a part of what both Jim and 12 Hoyt are asking about is is -- was there -- is there 13 more that can be done to sort of limit the crypto, 14 potential crypto functionality and I think that the 15 basic problem goes back to what Hugh said, which is 16 that this is the math for authentication and the math 17 for encryption are the same. It's raising and 18 multiplying big numbers and raising numbers to powers 19 and then, and factoring and this sort of stuff and 20 that's common. You could probably -- you might be 21 able to do things, to take more stuff -- you might 22 have been able to take more stuff out and have the RSA Page 47 1 license not been so constraining, but it would still 2 at the end of the day I think be possible for your 3 department to say this still contains the math. 4 MR. DANIEL: And is still modifiable. 5 MR. TIEN: Right. And therefore is still 6 modifiable. And that's why I keep going back to say 7 that the regulations as they are written already 8 understand that. Because they say there can be 9 cryptography in authentication, they recognize, as you 10 know, by text and policy that the math is the same. 11 MR. ZIA: Is there authentication software 12 that is different to the extent that you cannot take 13 the, I guess the crypting source code out and use it 14 for encrypting -- for use other than authentication? 15 MR. DANIEL: At my level, no. At your 16 level -- 17 MR. TIEN: At our level everything is 18 impossible. 19 MR. DANIEL: At your level, you are caring 20 about the application, which is what we are doing, and 21 our application does in no way anything privately. It 22 is just authentication. Is that distinction clear? Page 48 1 MR. ZIA: I guess what I'm trying to 2 understand, and you probably may have to go into a lot 3 more detail is essentially your point, I think, Lee, 4 is that we have eviscerated this exemption for 5 authentication so it's an empty box as it were, 6 because you are saying, I think, that any 7 authenticating software is going to have the same 8 problem, that is, someone can go into it if it's a 9 source code and take out the encryption part of it and 10 use that encryption part to do the same thing that we 11 said the RSAREF will do, but be able to use that to 12 encrypt data as opposed to just perform the 13 authentication function. And that's what I'm trying 14 to understand, if that's what you are saying, that's 15 true across the board. 16 MR. TIEN: It is. Based on my technical 17 level of understanding, which is not that much greater 18 than yours, my understanding is it is not possible. 19 That you will have a problem. The hardware might be a 20 little bit different, but it's still -- but if there 21 is a chip that does exponentiation, you are still 22 going to be able to modify it or hook it up in a Page 49 1 different way. At the bottom you have -- my 2 proposition is if you want to have an exemption for 3 authentication, it's going to have to allow it to have 4 math. 5 MR. LEWIS: Could you describe the 6 differences between the DNSsafe and RSAREF? 7 MR. GILMORE: Well, they come from 8 different origins within RSA Data Security, who wrote 9 both of them. The DNSsafe is based on an old version 10 of their commercial library called BSAFE and they 11 rewrote that library some years ago and decided that 12 it wouldn't threaten them commercially to release 13 parts of the older version for free public use. 14 I think RSA has as much interest -- well, 15 RSA has publicity problems in general. They have been 16 administering their patents with kind of an iron hand 17 for a long time and they need people on the Internet 18 to feel good about them because the patent is about to 19 expire. So this was sort of I think a good will 20 gesture on their part saying, look, we are letting 21 this be used for good purposes, we are not charging 22 you for it, we are out there helping to secure the Page 50 1 Internet, et cetera. 2 So they took what was a fairly complete 3 library called BSAFE and took out everything that DNS 4 Security didn't need, which takes lots of algorithms 5 out and takes lots of protocols away to encode data. 6 They still had to leave in encryption for 7 confidentiality because the private key that secures 8 your DNS data has to be encrypted on your disk, 9 otherwise if someone breaks into your machine they can 10 pull out your private key and impersonate you. 11 But that's the only use of authentication 12 for confidentiality is to protect the keys. And we do 13 have the ability to modify that library, you know, if 14 we need to, which we didn't have with RSAREF. So 15 there are certainly things that could -- if you can 16 think of things that could be done to it that would 17 continue to allow it to be used for authentication and 18 would somehow make it more acceptable for you, then 19 that would be an interesting thing to explore. 20 MR. LEWIS: But that wasn't -- you didn't 21 submit a DNSsafe for us to review? 22 MR. GILMORE: No. It took -- well, Page 51 1 integrating that into the rest of the TIS stuff took 2 some time. 3 MR. TIEN: Because the TIS release that -- 4 that Hugh started with was based around the RSAREF 5 library. 6 MR. GILMORE: Because DNSsafe didn't exist 7 at that time. 8 MR. TIEN: DNSsafe didn't exist until when? 9 MR. GILMORE: I would have to look. It was 10 last year, I think fairly early. 11 MR. TIEN: But that was in early 1998. 12 MR. DANIEL: No. It was mid spring by the 13 time we were done with that. 14 MR. TIEN: And we submitted the original 15 classification in '97 and actually I started the 16 process in December of '96. 17 MR. DANIEL: One thing that might be 18 helpful to point out here is that this is critical 19 infrastructure software that people who are going to 20 use this have long lead times on. This is going into 21 operating systems like UNIX and Linux and other 22 operating systems that we don't even understand and Page 52 1 know about. It's going into financial networks. So 2 there is a fair amount of time that anyone needs to 3 start trusting the software, to start working with it 4 and fitting it into their environments, which is why 5 we have been working on this for several years already 6 even though the problem is just beginning to creep up 7 into annoyance level. 8 MR. LEWIS: Do you have a version of the 9 product that incorporates the product, integrated 10 DNSSEC that incorporates DNSsafe rather than RSAREF? 11 MR. GILMORE: I don't have a version but Trusted 12 Information Systems does and we could try talking to 13 them about it. 14 MR. LEWIS: Okay. 15 MR. DANIEL: But certainly it's not in the 16 main line of development of the software at this point 17 in time. 18 MR. LEWIS: Why is that? 19 MR. DANIEL: Partially because we had 20 export permission for integrated DNSSEC and that's 21 what people started using. 22 MR. TIEN: Resources started going into Page 53 1 that. 2 MR. DANIEL: That's why there are copies 3 available worldwide on various web servers is because 4 people grabbed it and started working with it. 5 MR. DAVIDSON: So is development on the 6 problem that you identified at the hearing of the 7 vulnerability of the DNS system, is development 8 worldwide still progressing based on this software 9 package? 10 MR. DANIEL: Based on integrated DNSSEC 11 because that's all that is available. 12 MR. GILMORE: It's happening on multiple 13 tracks. The DARPA has paid TIS to continue evolving 14 the software, which in our version is frankly a 15 prototype. It wasn't ready for prime time. When we 16 first submitted it it was a while ago and TIS has done 17 more work since then. But we didn't see the point in 18 continually trying to update the software in your 19 process because the result should be the same. You 20 know, the software itself was really not at issue 21 here. What's at issue is the principle of is it 22 possible to export authentication software in source Page 54 1 code. If it's not possible, then it doesn't matter 2 which software you are going to export. 3 MR. LEWIS: Putting aside some of the IP 4 questions and your licensing questions with RSA, is it 5 possible to make RSAREF more like DNSsafe? And you 6 were describing how DNSsafe was limited by RSA. Is it 7 possible to do that to RSAREF? 8 MR. GILMORE: It might be possible. 9 MR. LEWIS: Technically possible and then 10 you have the IP problems. 11 MR. DANIEL: You could certainly go in and 12 delete unused portions of the RSAREF library in the 13 integrated DNSSEC. When you were done deleting those 14 portions you will have deleted parallel encryption 15 abilities and parallel authentication abilities but 16 there would still be encryption or there would still 17 be the math that is the same for both encryption and 18 authentication in there. 19 MR. LEWIS: Go over that a little more 20 slowly. So you could delete unused portions? 21 MR. DANIEL: You could delete the unused 22 portions, but you would be like cutting off a man's Page 55 1 left arm and being annoyed that he still has a right 2 to hold the saber in. And we are going to have to 3 have an arm no matter what because the mathematics is 4 the same. So you can get rid of some of the 5 duplication and make the library smaller and more 6 focused, and in some sense from your point of view you 7 are simply making it easier for other people to use 8 the library at that point because it is now a smaller, 9 simpler target that makes more sense and has more 10 examples of how it's used. 11 MR. LEWIS: But what would you cut out? 12 What would you delete? 13 MR. DANIEL: Mostly there is -- actually, I 14 don't know what all else is in there because I don't 15 use it. The only calls I have looked at are ones on 16 the main line of what we are doing. There are some 17 other encryption algorithms in there that aren't used 18 by integrated DNSSEC that -- mostly they are the 19 symmetric key stuff. Isn't there a triple -- 20 MR. GILMORE: I don't actually know. I 21 haven't gone through that exercise either. 22 MR. TIEN: The government claims that there Page 56 1 is some sort of -- 2 MR. DANIEL: Yeah. Can you delete that? 3 There are some other modes that it has for calling the 4 RSA functions in. There is a lot of weird 5 cryptographic, is it in CBC mode or blah, blah, blah. 6 There are some other calls into the system that we 7 don't use that can be deleted. But once again, that's 8 kind of trimming the fat off and the steak is still in 9 the middle there. 10 MR. TIEN: We certainly, I don't believe in 11 all our discussions, we don't have -- those are not -- 12 there is no resistance to doing that. It just 13 couldn't -- 14 MR. GILMORE: Well -- 15 MR. DANIEL: It's a waste of time. 16 MR. TIEN: Well, okay. 17 MR. GILMORE: There is a resistance on one 18 level because there is an issue that under one 19 interpretation of the regulations the EAR doesn't even 20 apply, because it's public domain authentication, 21 which is exempted from the strict -- or exempted from 22 the entire controls of the EAR. Page 57 1 So on that interpretation it's basically 2 sort of a First Amendment cut-out that says you have 3 the right to publish this and the government can't 4 tell you what you are allowed to say or not say. On 5 this other interpretation of the regulations then, the 6 government has full discretion to say what can go 7 across the border and what can't. And there is a very 8 sharp cliff between those that sort of rests on what 9 exactly do those regulations mean? 10 And that sort of goes back to Lee's earlier 11 point that says, I think it behooves the department to 12 make -- to constrain itself to actually following its 13 own regulations, even though it can't necessarily be 14 forced to do that by courts because it encourages 15 people to actually follow them themselves. 16 If as an exporter I'm likely to get 17 arbitrary treatment when I send in a license 18 application I won't send one in. I will do my best to 19 follow the regulations as written and then I will just 20 go with the luck, you know, rather than poke my head 21 up and attract the attention of an arbitrary 22 department. Page 58 1 MR. DAVIDSON: I had a couple follow-ups 2 and let me make a preface. As we were talking before, 3 this is appeal number seven of '98 so we don't have a 4 lot of these, but we often hear that the adverse 5 decision or the impact and harm of the adverse 6 decision of the department on the exporter, and you 7 have talked about that to a great extent on the 8 vulnerability of the system and all of that. 9 I guess my question, without knowing 10 whether the answer is even relevant, is what other 11 impacts, if any, are there? Is there any pecuniary 12 impacts on you, any proprietary impacts on you? And I 13 guess a part of that is while I noted your 14 conscientiousness and apparent good faith at solving a 15 very difficult problem that I'm not sure anyone 16 denies, I'm not sure I understand your role in this 17 software and its development. And I don't know 18 whether that information would be relevant to the 19 appeal or not. 20 It would probably not be supremely relevant 21 but it might be interesting to know what role you play 22 in this in either a pecuniary measure or an Page 59 1 intellectual measure or whatever. 2 MR. TIEN: I'm going to let them answer 3 that question but I want to preface their answer with 4 a general comment. One of the problems I think that 5 your export control regime in the existing EAR has 6 with people like my client is that you have been 7 oriented toward a commercial, very commercial world of 8 large businesses that have a lot of contracts with 9 arrangements, with business contracts and arrangements 10 with the government or other governments or other 11 foreign entities and it's all a very commercial sort 12 of world. But the -- the Internet, the people that 13 built the Internet or have been maintaining the 14 Internet since the U.S. Government sort of really 15 jump-started it, are -- at most have one foot in that 16 world. There is certainly a major commercial 17 component to Internet maintenance and development, but 18 there is equally a major, you know, hacker, 19 non-commercial, you know, wizards who stay up late 20 component of organizations like the IETF, which I 21 believe stands for the Internet Engineering Task 22 Force, the Internet Society, the way that domain names Page 60 1 used to be handled. 2 There is a huge, one might call it 3 non-commercial infrastructure of programmers, of 4 computer scientists, of systems administrators and 5 engineers who have been doing this, and the work they 6 do, the way they put out software, is not the same way 7 that Microsoft puts out software or, you know, these 8 other companies. And it is a much more collaborative, 9 much more non-profit and much more sort of sharing of 10 the information and that's one reason why I am 11 detecting, and don't want to put words in anybody's 12 mouth, but a big part of the problem here is that we 13 asked for a classification for the source code and 14 your reaction to that seems to be, oh, my God, why are 15 they doing this? If you are doing this in source code 16 you must be doing it in order to make it easier for 17 people to mess with. 18 But the tradition in what I am calling the 19 sort of other side of the Internet maintenance is 20 source code, and not for nefarious reasons, but 21 because that's the way to get the work done. 22 MR. GILMORE: I do have some small Page 61 1 pecuniary interest in this in the sense that I paid 2 Hugh as a contractor to work on this stuff, I paid Lee 3 to do all the legal work on this stuff. To the extent 4 that the project doesn't accomplish its objective of 5 securing the Internet, I have spent money and gotten 6 nothing out of it. So I have an interest there. 7 But the amount of money is relatively small 8 compared to lots of other things that I do. The 9 overall interest, the reason that I'm doing this at 10 all, is because I care about the stability of the 11 Internet. I'm on the Board of Directors of the 12 Electronic Frontier Foundation which looks at civil 13 rights and civil responsibility on the Net. I'm on 14 the Board of the Internet Society, which exists to 15 foster the culture of the Internet and continue the 16 evolution, technical evolution of the Internet. 17 As Lee pointed out, the Internet 18 Engineering Task Force is one of the things that 19 happens under the Internet Society umbrella, and there 20 has been a much stronger focus in the last five years 21 in Internet engineering on realizing that the network 22 that we all put together was a research prototype, Page 62 1 funded by an advanced research agency to collect, to 2 connect up centers of excellence in universities. 3 It wasn't designed to withstand massive 4 attacks. It wasn't designed to underpin the entire 5 infrastructure of commerce or of how citizens interact 6 with their government or even to carry the volume of 7 love letters between husband and wives that it now 8 carries. 9 So there has been a conscious and 10 significant effort to re-engineer protocols of the 11 Internet so that they do actually provide utility 12 quality protections against disruptions, whether 13 malicious or accidental and such. 14 And I have spent a long time in the 15 Internet culture. I worked at Sun Microsystems in 16 the early days, which benefited greatly from being an 17 Internet company. Frankly, it made me rich. It 18 raised me out of the middle class and has given me the 19 opportunity to work on what I choose to work on and 20 what I have been choosing to work on is to try to pay 21 back society for the wealth it's given me by using 22 some of that wealth to try to raise the Page 63 1 infrastructure, to try to make it something that as we 2 all come to depend on it it won't fail us in times 3 when we need it. So that's what brought us into this 4 whole process. 5 MR. LEWIS: Can I ask who the target 6 audience was for the product? Who are you thinking 7 would get this? If you want to export it, it's not a 8 mass market product, right? 9 MR. DANIEL: It's not a mass market 10 product. There are two categories of people. Early 11 adopters, large sites, universities, maybe a small 12 nation state domain like dot IE for Ireland or 13 something like this that wanted to start getting this 14 into their processes, into their operations, learning 15 the technology, how it works, how they can use this to 16 authenticate their end-users. Stuff like this. 17 And the other major category is people 18 doing these systems, doing UNIX distributions, OSs, 19 maybe even large applications like say a bank to start 20 figuring out how do I test, what trust can I put in it 21 knowing that this IP address equals this name, et 22 cetera. It certainly wasn't going to be used by your Page 64 1 average Joe small business, although they need to use 2 it eventually. 3 MR. LEWIS: But you would see them getting 4 it from a service provider, being built into something 5 they purchased not something they would -- 6 MR. DANIEL: Yeah. In the long run this is 7 too much fiddling around by a long shot for people to 8 add in. Although, right now that's what I'm working 9 on getting people to do. For instance, until you run 10 the software you can't even mirror my data or John's 11 data in the DNS space. Because it breaks the old 12 servers. So getting it out there is important to us 13 because right now our -- since we run this stuff 14 experimentally our data isn't well distributed across 15 the space because servers that get it often crash. 16 I wanted to answer the previous question 17 and that is there are reasons I'm involved in doing 18 this too, not just because it's work for hire or 19 something like that. I'm doing this work because I 20 have spent a long time building community in 21 cyberspace. I was the person who suggested and helped 22 create the first UNIX box that provided access to the Page 65 1 Internet for anyone in the community anywhere. This 2 was back in Michigan in the early '80s. 3 So I have been trying to provide access to 4 the Net and tried to explain how it's useful to people 5 for many years. I have also been doing consulting in 6 many industries, including in commercial and financial 7 industries, and when somebody says I want to do my 8 banking over the Net, how do I make certain I'm 9 talking to the right people, I kind of go, well, you 10 don't. You don't have a choice of securing your 11 infrastructure until this problem is generically 12 solved. 13 And I foresee that someday in the future 14 when I'm bored and I need to go off and find some 15 other work and I need these tools in my civil society, 16 and that this really is for me building a civil 17 society; extending the tools that we have been 18 developing in our day-to-day world into the Internet 19 world where it's appropriate and useful. And, 20 finally, I'm going to warn you as John was saying, the 21 IETF is developing a security -- security -- 22 MR. GILMORE: Architecture. Page 66 1 MR. DANIEL: Not architecture. There is a 2 consensus that this has to go in everything everywhere 3 all the time and the IETF is specifying protocols that 4 implement this stuff. And either this particular one 5 is unusual in that this is a base technology that we 6 all have to share, but many of the future things that 7 the IETF is defining are more application level things 8 than this, and they are going to have crypto in them 9 and those products can come from within the U.S. or 10 not. 11 MR. LEWIS: Do you find it, your product 12 now being used in the United States and Canada to 13 which the export -- you have a community of people you 14 want to distribute this to and some are in the U.S. 15 and some are not. Did you make the distribution to 16 the ones in the U.S. and are they using it or is there 17 some other -- 18 MR. DANIEL: It is in use in a small number 19 of places inside Canada and the U.S., and maybe even a 20 smaller number of places outside. It really does need 21 to be reved, it does need to be pushed forward. We 22 need to go through taking the work that TIS and others Page 67 1 have been doing and folding it back into this 2 mainstream stuff all at once and get it out again. 3 MR. LEWIS: And what are they using it for? 4 MR. DANIEL: It doesn't do anything but 5 DNSSEC. 6 MR. GILMORE: All the people who are using 7 it are basically experimenters. They are people who 8 are trying to push the technology forward. 9 MR. DANIEL: Universities, corporations. 10 MR. GILMORE: One of the big issues around 11 deploying this is nobody has ever built at this big a 12 database with authentication in it, this widely 13 distributed a database. You tend to have sort of 14 centralized Oracle servers and they tend to have much 15 different characteristics. 16 We really don't know how easy or hard it 17 would be to operate a widely distributed database that 18 has keys that expire every six months and the data 19 needs to be resigned. There is a huge operational 20 component that we have never gotten to because we 21 couldn't get the software out to people. 22 So we have tried to deploy that inside the Page 68 1 United States to individuals to say please start using 2 this, tell us what operational issues come up and as 3 we evolve the software we can make it easier for 4 addressing those issues. 5 MR. TIEN: But it's a scale problem. We 6 just don't know whether it scales up. 7 MR. GILMORE: Yeah, there is a scale 8 problem. There is an ease of use problem, that 9 something that a wizard administrator can do is much 10 different than an ordinary administrator or end-user 11 can do. But there is a very sharp line between being 12 able to publish something and having to give out 13 individual copies to people. And the way the fluid 14 and kind of evolutionary process of Internet 15 development has occurred has been through publication. 16 MR. LEWIS: On the Net you mean? 17 MR. GILMORE: Well, even before the Net, 18 though. 19 MR. LEWIS: You don't mean a book, right? 20 MR. GILMORE: No, I don't mean a book. But 21 public access. For example, I think the reason the 22 Internet exists today is because Berkeley made their Page 69 1 version of UNIX freely available. DARPA paid U.C. 2 Berkeley to write the Internet protocols and put them 3 into a version of UNIX and Berkeley would basically 4 sell that on tape to anybody who wanted it. 5 MR. DANIEL: And that wasn't a sale for 6 profit. It was just the cost of duping a tape. 7 MR. GILMORE: Right. All of the computer 8 companies like Sun, went to Berkeley, got the tape, 9 put that software in their systems and all of a sudden 10 all those systems could talk on the Net and it sort 11 of mushroomed from there, because it was free. 12 MR. TIEN: Like HTTP protocol invented by 13 what, Berners-Lee. 14 MR. GILMORE: At CERN. 15 MR. TIEN: Right. And it was made public 16 and which allowed everybody to adopt it and talk to 17 each other. 18 MR. GILMORE: I call it reducing the 19 transaction costs of cooperation. Basically, you 20 don't need to ask someone for permission, you don't 21 need to ask somebody to get a copy, you can get a copy 22 if you have the interest, mess with it and send back Page 70 1 improvements to it. And that has caused much more 2 fluid, much more evolutionary development on the 3 Internet than the traditional style of we are going to 4 cut a major release every two years and the customers 5 can't modify it and can't see how it works. 6 MR. DAVIDSON: Are we close to finishing? 7 If so, let me -- 8 MR. TIEN: I have nothing more to say. 9 MR. DAVIDSON: All right. Let me just make 10 one comment, which you may want to respond to now, 11 respond to in writing or not respond to at all. And, 12 in fact, I think Mr. Reinsch has indicated that he 13 would consider any further information you want to 14 submit. 15 MR. TIEN: It is my intent to do so. 16 MR. DAVIDSON: Speaking only for myself, I 17 understand your arguments and I think for the most 18 part they are well set out and I think the issues are 19 pretty clear. The one argument that I do question is 20 this. 21 Let's assume for the sake of argument that 22 Mr. Reinsch were to decide that it is correct to Page 71 1 classify the software as 5D002 whatever. Then he goes 2 and -- well, he may want to end at that point. But 3 you, I believe, would want him to consider the reason 4 for the change from '97 to '98, whatever the years 5 were. And you address that in your letter, you 6 addressed it here. I guess I don't sort of as a legal 7 matter see what is the test he develops. 8 If he assumed, if he finds that it is a 9 correct classification -- if he finds it's an 10 incorrect classification then it doesn't matter 11 because presumably if it was incorrect it will make it 12 into the EAR 99 and you are happy except for the year 13 it wasn't. What if, however, he determines that it's 14 correctly classified in June of '98? What is he 15 looking for legally? What's the test? 16 I guess you could get off into things like 17 the guilty man goes free because the magistrate messed 18 up and those kinds of things. I don't know if you 19 want to address this now. Maybe you don't. It just 20 seems to me that it's not clear how he would say while 21 the June '98 decision was correct on the regulations, 22 something which you don't concede of course, but let's Page 72 1 assume he gets to that point, but that he should then 2 say well because of some procedural error I'm going to 3 make it EAR 99? 4 MR. TIEN: Well, this is a tentative 5 response but, you know, of course our position is that 6 the -- first of all, I have to start with our 7 position, which is that the original decision was 8 correct and the original decision was correct because 9 of the way the Regs are written. I actually have a 10 very hard time sort of grappling with the hypothetical 11 that you set forth because I see no way that it can be 12 done consistently with the language of the regulation, 13 given that there is new information, given the 14 language of the regulations that permit authentication 15 which contain crypto, which would seem clearly to 16 understand the technical point we have been attempting 17 to develop. What I think that Mr. Reinsch would be 18 better off explaining, and deciding that this was I 19 guess 5D002, that this is authentication software and 20 explaining why it is authentication software and not 21 encryption software along the lines that I discussed 22 previously, when I was, you know, criticizing the way Page 73 1 that the government responded in the Karn case, that 2 it was not simply not necessary for the government 3 to -- the government was in a sense, when it 4 reclassified integrated DNSSEC, was answering the 5 wrong question. It was -- it was comparing two things 6 that were not the same. It was attempting to make -- 7 essentially, we believe that Mr. Karn raised a false 8 inconsistency that -- 9 MR. DAVIDSON: Excuse me. If I could 10 interrupt. I think you have made that argument before 11 and I understand that. 12 MR. TIEN: Okay. 13 MR. DAVIDSON: And I can't speak for 14 Mr. Reinsch, but I believe that if I were deciding it 15 I would first address the issue you just talked about, 16 whether or not it was correct to change. And you 17 don't have to answer this. I'm just saying, if you 18 lose on that, what -- how does he -- you are writing 19 his opinion for him. He has unfortunately for you 20 decided that it was correct to do, at least as a 21 matter of the software and the Regs, but you want him 22 to come out with an answer that is EAR 99. How do you Page 74 1 write that opinion? That's my question. 2 MR. TIEN: I think I will have to answer it 3 because I believe the only real answer I can give will 4 be after some reflection in my submission, but I 5 believe that the half the answer that I'm prepared to 6 give now is that this was a -- the factual situation 7 here is quite unusual. I believe it's quite unusual 8 to have something receive a classification and then as 9 a result of that classification be made publicly, 10 lawfully publicly available for a significant period 11 of time, not a day, not a week, no accidental clerical 12 error, but a full reasonable reliance on a 13 classification from the department, which led to its 14 worldwide distribution and that there are some errors 15 that, you know, which I think that the classification 16 was, which when you look at all the facts it doesn't 17 make sense to put a classification on it. It just is 18 out of variance with reality. But that's only half 19 my -- I will expand. 20 MR. DAVIDSON: I understand. That is my 21 view on it. Not necessarily anybody else's. Did you 22 want to say something? Page 75 1 MR. GILMORE: Sure. To me it looks like an 2 end-use issue. The new regulations that came out in 3 December make significant differences in exportability 4 of various kinds of crypto based on the end-use. 5 Whether you can do this, you can send the same 6 software out of the country for banking but you can't 7 send it out for metallurgy or whatever. In this case 8 I think you could draw a clear distinction that says 9 if this software was used for confidentiality it would 10 be 5D002. Because it's end-use is authentication then 11 it falls into this exemption. 12 MR. LEWIS: Usually the way we do that is, 13 I was thinking along similar lines, but we would do it 14 as a practical matter a little differently, which is 15 that the end-use doesn't determine the classification, 16 the end-use will determine whether or not an item can 17 be approved for export and that's where the one other 18 scenario is even if this is 5D002, it doesn't mean it 19 can't be exported to some group of end-users and that 20 would be depending on the outcome of the appeal. 21 MR. DANIEL: It's not clear to us who the 22 end-users, who the early adopters are. Sometimes it's Page 76 1 universities, sometimes it's a small company. 2 Remember, we are dealing largely here also with the 3 Linux community, so often you will end up with some 4 small company that has got maybe a bank and they might 5 go off and work on it, make a bunch of changes, make 6 it operational and then feed those changes back. 7 Maybe they will feed them back to South Carolina or 8 Germany for the distribution. We don't know. It's 9 whoever gets there first and is most interested in 10 doing the work. 11 MR. LEWIS: There are vehicles that would 12 accommodate that. I'm not sure they will work in this 13 case. But you can get away from identifying. You 14 want people just to have access to it. You want to 15 reduce transaction costs. There is ways to do that. 16 Whether it works, again whether -- 17 MR. DANIEL: It's more than reducing our 18 transaction costs. It's making it easy enough for 19 people who are suckers enough to actually go off and 20 be the first in line to try to make this work, to 21 actually get at the tools to try. 22 MR. LEWIS: Sure. Page 77 1 MR. DAVIDSON: I would be happy if any 2 person wants to keep going, but this is hard on the 3 court reporter right now, so if there is nothing more 4 to say on the record I would suggest we close the 5 hearing. Is that okay? 6 MR. TIEN: Fine with me. Unless you -- you 7 are the one. If you have more questions I am happy to 8 answer. But if you are done, then we are done. 9 MR. DAVIDSON: Thank you very much. 10 - - - 11 (The hearing was concluded at 12:15 p.m.) 12 - - - 13 14 15 16 17 18 19 20 21 22 Page 78 1 I, ROBERT M. JAKUPCIAK, DO HEREBY CERTIFY 2 THAT THE TESTIMONY OF THE PARTIES WAS TAKEN BY ME IN 3 STENOTYPY AND THEREAFTER REDUCED TO PRINT UNDER MY 4 DIRECTION; THAT SAID HEARING IS A TRUE RECORD OF THE 5 TESTIMONY GIVEN BY THE PARTIES; THAT I AM NEITHER 6 COUNSEL FOR, RELATED TO, NOR EMPLOYED BY ANY OF THE 7 PARTIES TO THE ACTION IN WHICH THIS HEARING WAS TAKEN; 8 AND, FURTHER, THAT I AM NOT A RELATIVE OR EMPLOYEE OF 9 ANY ATTORNEY OR COUNSEL EMPLOYED BY THE PARTIES 10 HERETO, NOR FINANCIALLY OR OTHERWISE INTERESTED IN THE 11 OUTCOME OF THE ACTION. 12 13 NOTARY PUBLIC IN AND FOR THE DISTRICT OF COLUMBIA 14 15 My Commission Expires: November 2004 16 17 18 19 20 21 22 BLOCK COURT REPORTING, INC. The High-Tech Leader in Court Reporting Services (202) 638-1313 (800) 735-3376 (DEPO)