[CWG-Stewardship] DNSSEC wrinkle...

manning bmanning at karoshi.com
Wed Jun 10 05:10:13 UTC 2015 

Thanks for that.   I was a bit concerned with this text: 

“...Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor.”

A cautious reading would suggest this is not limited to intrusion software, but to any Internet Protocol […] production software and technology therefor.

An Australian take suggests a very wide remit indeed:

   http://www.smh.com.au/it-pro/security-it/dangerous-minds-are-maths-teachers-australias-newest-threat-20150608-ghira9.html

Many things “should not” happen, but end up as collateral damage.  Having gone through the previous entanglement with wassenaar, which removed export controls on most of the IP security work,
primarily because encryption was NOT the goal, but authentication this is not particularly new ground for me.   With the recent IETF thrust, post Snowden, on imbedding encryption in IETF protocols, ostensibly to protect privacy, may have triggered a backlash that will affect everyone using crypto code throughout the Internet.   

I hope you are right and I a wrong.  We return you to your regularly scheduled IANA transition debates.

manning
bmanning at karoshi.com
PO Box 12317
Marina del Rey, CA 90295
310.322.8102



On 9June2015Tuesday, at 2:12, James Gannon <james at cyberinvasion.net> wrote:

> Hey all,
> DNSSEC does not modify the standard execution path and/or is not used for the development of intrusion software and thus won’t be subject to any of the controls that may be put in place by the signatory states to the Wassenaar Arrangement. So the IANA either in its current or future form should not have any interactions with the export controls proposed.
> 
> For anyone interested I wrote about some of the background and potential impact of the arrangement as a guest post on IGP: http://www.internetgovernance.org/2015/05/25/wassenaar-turning-arms-control-into-software-control/ 
> 
> -James
> 
> 
> 
> 
> On 09/06/2015 04:46, "cwg-stewardship-bounces at icann.org on behalf of manning" <cwg-stewardship-bounces at icann.org on behalf of bmanning at karoshi.com> wrote:
> 
>> for the 41 countries that are affected…   The IANA process for DNSSEC might need some explanation as well as DNSSEC support on a global basis.
>> ———
>> 
>> The Wassenaar Arrangement (full name: The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies) is a multilateral export control regime (MECR) with 41 participating states including many former COMECON (Warsaw Pact) countries.
>> 
>> An FRN issued on 5/20/2015 https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items describes a proposal by Department of Commerce’s Bureau of Industry and Security (BIS) for a license requirement for the export, reexport, or transfer (in-country) of systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor.
>> 
>> The FRN notes that BIS is seeking information about the effect of this rule and would appreciate the submission of comments, and especially answers to the following questions:
>> 
>> 1. How many additional license applications would your company be required to submit per year under the requirements of this proposed rule? If any, of those applications:
>> a. How many additional applications would be for products that are currently eligible for license exceptions?
>> b. How many additional applications would be for products that currently are classified EAR99?
>> 
>> 2. How many deemed export, reexport or transfer (in-country) license applications would your company be required to submit per year under the requirements of this rule?
>> 
>> 3. Would the rule have negative effects on your legitimate vulnerability research, audits, testing or screening and your company's ability to protect your own or your client's networks? If so, explain how.
>> 
>> 4. How long would it take you to answer the questions in proposed paragraph (z) to Supplement No. 2 to part 748? Is this information you already have for your products?
>> 
>> * The ADDRESSES section of this proposed rule includes information about how to submit comments.
>> 
>> ———
>> manning
>> bmanning at karoshi.com
>> PO Box 12317
>> Marina del Rey, CA 90295
>> 310.322.8102
>> 
>> 
>> 
>> _______________________________________________
>> CWG-Stewardship mailing list
>> CWG-Stewardship at icann.org
>> https://mm.icann.org/mailman/listinfo/cwg-stewardship

More information about the CWG-Stewardship mailing list