|
|
| IP Cores, Inc. is an American company. As such, we are subject to the US export regulations
- and the US government does regulate the
export of encryption products. This page contains a brief explanation of our export licensing situation. It is intended to be used as an introductory material for engineers planning to use our
encryption cores. It cannot and should not be used as a substitute for a thorough review of applicable US export laws - check with your company legal department for such a review. If you have no time to read this text, just
browse through the first section below. |
|
| The export licensing process is well-described on the official US government site http://www.bis.doc.gov/licensing/exportingbasics.htm. Note that not just an American-made IP core, but the foreign-made products based on the core might be subject to the US export licensing. |
|
 |
In a nutshell |
|
|
This section contains a brief summary of
a longer discussion below. For our
encryption cores
(except DES1-NLR), unless your
circumstances are special (say, you work
for a government - other than the US
government, naturally - not industry): |
|
|
- A subsidiary of a US company in most countries does not need an export license
- A Canadian company does not need an export license
- A company from the
European Union does not need an export license
- A company based in Australia,
Hong Kong,
Iceland, India, Indonesia,
Israel, Japan, Malaysia,
Mexico, New Zealand, Norway, Philippines,
Singapore,
South Africa,
South Korea, Switzerland, Taiwan,
Thailand, or
Turkey does not need a license
- Companies from other countries do need the export license, so a 30-day review by the US government is inevitable. Since there are no fees associated with the license, we can easily apply for an export license early in the process of engagement.
There is a
good chance that the legal
department at your company works slower than the
US government, thus
the license is typically
issued by the time
the contract is
ready for signatures.
- It is most likely that your
product, manufactured with the
use of our core, will not
require a US license due to the
use of our core
|
|
|
For our FFT cores,
unless your circumstances are special,
if your country is part of a huge
"Country Group B", you do not need
a license. Notable exceptions are
Chinese and Russian companies (as these
countries are not part of the list).
Single-DES core DES1-NLR
does not require a license for export to
almost any country.
We are not aware of any export licensing
requirements for our other cores.
|
|
|
Information about us and our cores |
|
| |
The information in this section (coupled with the pricing information) is sufficient for an export licensing professional to determine if an export or re-export license is required for the core.
Our AES-based security cores: |
- Are classified as 5E002
- Country restrictions are NS1 and AT1
- We have been granted permission
for export to the "EU+" countries (EU and Australia, Japan, New Zealand, Norway, and Switzerland)
- We have been allowed to export our encryption cores to the following additional countries: Hong Kong, India, Indonesia, Israel, Malaysia, Mexico, Philippines, Singapore, South Africa, Taiwan, Thailand, and Turkey.
- Our permits for countries listed above contain language that
allows the application of the
de minimis rule to
the final products: "PRODUCTS MANUFACTURED USING THE TECHNOLOGY AUTHORIZED UNDER THIS LICENSE ARE SUBJECT TO THE EXPORT ADMINISTRATION REGULATIONS (EAR) IF THEY CONTAIN GREATER THAN THE DE MINIMIS LEVEL OF CONTROLLED COMPONENTS"
DES1-NLR core is classified as
5E992. Other DES-based cores are
5E002.
Our FFT cores:
- Are classified as 3A001.12.a
- Country restrictions are NS2 and
AT1
- Subject to license exemption GBS
|
|
|
Additional information for some of our US
customers: We are a California corporation
and are wholly US-owned. All our employees
are US citizens.
|
|
|
Checking the countries |
| |
For security cores, look at your country row and columns NS1 and AT1 in the Country Chart
https://www.bis.doc.gov/index.php/forms-documents/doc_download/14-commerce-country-chart; see if the country is subject to one of these restrictions. If both columns are clear, license is generally not required. Unless you are located in Canada, don't actually bother to look into this file - only Canada currently has both NS1 and AT1 columns clear.
For FFT cores, look at columns NS2 and
AT1. The FFT cores currently can be
shipped license-free to Australia,
Austria, Belgium, Bulgaria, Canada,
Croatia, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hong
Kong, Hungary, Iceland, Ireland, Italy,
Japan, South Korea, Latvia, Lithuania,
Luxembourg, Netherlands, New Zealand,
Norway, Poland, Portugal, Romania,
Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey, United
Kingdom.
|
|
|
Checking the exemptions |
| |
Exemptions relax the restrictions from the Country Chart. Brief description of exemption
ENC can be found in
http://www.bis.doc.gov/index.php/forms-documents/doc_download/98-license-exception-enc - the particular ones
applicable to our IP cores are listed
below. If one of these applies, you do not need a license (see the "bad guys" lists below, though). 740.17(a)(1) permits export
of security IP cores to
non-government users in "Supplement
3" (to Part 740,
a.k.a. "EU+") countries (EU and
Australia, Canada, Japan, New Zealand,
Norway, Switzerland, and Turkey).
740.17(a)(2) permits
export of security IP cores to
subsidiaries of US companies located
practically anywhere.
740.17(b)(2) permits export
of security cores to to (i) government
users in the Supplement 3 countries,
(ii) non-government users in most
countries with 30-day wait period
(exceptions are the so called
D:1 countries, notably China and
Russia). In the case of the wait period he exporter (IP Cores) should have previously filed an exemption review for particular core with BIS per http://www.bis.doc.gov/Encryption/enc.htm (please check with us); all export using §740.17(a) is subject to
"encryption
registration" and semi-annual reporting (also by IP Cores),
see
details..
GBS (§740.4) for FFT
cores permits export to
Country List B (too large to be quoted here). This exemption most likely covers
your country; notable exceptions include
China and Russia. All export using GBS
is subject to semi-annual reporting by
IP Cores.
|
|
|
Checking the additional countries |
| |
We have been granted a permission to export our encryption cores to the
non-government end-users in the following additional countries:
Argentina, Brazil, Chile, Hong Kong, India, Indonesia, Israel, Malaysia, Mexico, Philippines, Singapore, South Africa,South
Korea, Taiwan, Thailand.
|
|
|
Checking against bad guy lists |
| |
To use an exemption, the company should not be in one of the four lists of bad guys maintained by the US government agencies; the list of lists is in the section "Who will receive your item?" of http://www.bis.doc.gov/licensing/exportingbasics.htm.
Getting onto these lists requires a
solid determination to upset the US
government, so there is a 99.999%
probability that your company is not
there (we know of no major
companies on the lists that are based in
the countries we can export to without
obtaining a license).
|
|
|
If you need a license |
| |
Don't be discouraged - in most cases, getting a license is neither a long nor a hard process - and it is completely free of charges! We can file the "Multipurpose Application" for export online with SNAP-R, if you provide us with sufficient data, and the relevant US agencies are required to produce a response within 30 days. See these instructions for the actual details; note that most of the information comes from us, look for words "end-user", "purchaser" and "consignee". In particular, we will need: |
| |
- Your Name, Address, City, Country, Postal Code, Telephone or FAX
- End User's Name, Address, City, Country, Postal Code, Telephone or FAX (if you are not the end-user)
- Specific End-Use (complete and detailed description of the use intended). A good example of a description for an ASIC core: "The (insert our core name here) core will be embedded in an (insert your product name here) chip compliant with the (insert the standard you are following here) specifications. The users of the (insert your product name here)
chip will not have direct access to the cryptographic algorithms, except as defined by the( insert the standard you are following here) specifications."
|
| |
We are sometimes required by the US Department of Commerce as a condition for the license to obtain from you a so called "letter of assurance"
that simply states that your company is
aware of the US export regulations
affecting our cores and will comply with
these regulations. Alternatively (very
rare event, never happened to us so far), we may be required to ask the "ultimate consignee"
(your company) to sign the form BIS-711, which pretty much states that you are going to do with the product precisely what you told us you will do, or (if you are really unlucky) to provide the "End-User Certificate", which is essentially a promise from you / your government to the US government not to re-export the items.
|
|
|
Does your product need a license? |
| |
Your product incorporating our core might be subject to US export licensing as well. This is called "re-export" and is covered by a complex set of rules summarized in http://www.bis.doc.gov/Licensing/ReExportGuidance.htm. Note that the terms of our licenses typically permit the application of the "de minimis" rule to your product. De minimis rule is defined in EAR 734.4 and 736.2(b)(2) and essentially states that as long as the "controlled" items percentage (by price) is below a certain threshold in your product (typically 25%), the item you make is not subject to the US export regulations. Some EAR details translated into plain English can be found in
http://www.bis.doc.gov/seminarsandtraining/webinars/reexport-slides.pdf.
If your final product is a chip, you might also qualify for the 740.17(b)(2) or, for consumer ("mass market") applications, 740.17(b)(3) exemptions. Note that in order to qualify for these exemptions, you will need to submit your product for "review", as described in http://www.bis.doc.gov/Encryption/ MassMarket_Keys64bitsNUp.html. You can start exporting products to non-government users 30 days after the review request is "registered" with BIS, unless notified otherwise. For mass market products, you can start exporting in 30 days as well.
It is therefore very likely that you will not need a US export license for your product. Your mileage might vary,
of course.
|
|
|
|
