30 May 1998
Source: http://www.bxa.doc.gov/factsheets/kraguide.htm


May 29, 1998


The Bureau of
Export Administration
Guidelines for Submitting Requests for
BXA Approval of Key Recovery Agents



These guidelines explain how Key Recovery Agents (KRA) may be approved by BXA according to the requirements of Supplement No. 5 to Part 742 of the Export Administration Regulations (EAR). Before you read these guidelines, you should familiarize yourself with Supplement 5. In order to obtain approval, the KRA, or the applicant for eligibility to export or reexport encryption items, must provide certain information and certifications, so that BXA can evaluate the KRA's suitability and trustworthiness to maintain the confidentiality, integrity, and availability of the key(s) or other material or information required to decrypt ciphertext, as well as the KRA's security policies and key recovery procedures. These guidelines facilitate more efficient processing of requests for KRA approval under the EAR. They supplement the EAR, but do not replace any of the requirements set forth in the EAR.

These guidelines cover the requirements for three different kinds of KRA arrangements:

Type I. The first is for KRAs which are trusted third parties for encryption products that meet the criteria of Supplement 4 of Part 742.
Type II. The second is for self escrow KRAs for Supplement 4 products.
Type III. The third is for self escrow KRAs for products approved on an export license issued by BXA.


You should follow the guidelines only within the part that corresponds to your type of KRA arrangement.

To request approval, submit a letter to BXA, on company letterhead, explaining the type of KRA for which you are requesting approval, and the specific products for which you will be acting as a KRA, including their BXA CCATs number or license number. Also include in your letter the information and certifications described below. The certifications should be made on behalf of the KRA and signed by an official of the KRA who has the authority to make such certifications and to bind the KRA entity.

Submit your letter requesting KRA approval to the following address:

Attn: KRA Approval Requests
Encryption Policy Controls Division
Bureau of Export Administration
U.S. Department of Commerce
Mail Stop 2705
14th Street and Pennsylvania Ave., N.W.
Washington, D.C. 20230


DEFINITIONS

The following definitions will help you understand two important terms used in these guidelines:

Key Recovery Agent (KRA) means the total of all key recovery personnel and physical facilities at a given location which together perform the key recovery function. In the case of a Trusted Third Party, the term "KRA" may include the corporate or other business entity of which the key recovery function is a part.

The term "key recovery personnel" means any individual who:

(1) Is directly involved in the escrowing of key(s) or other material/information required to decrypt ciphertext; or

(2) Has access to key(s) or other material/information required to decrypt ciphertext; or

(3) Has access to information concerning requests for key(s) or other material/information required to decrypt ciphertext; or

(4) Responds to requests for key(s) or other material/information required to decrypt ciphertext; or

(5) Is in control of the key recovery agent and has access or authority to obtain key(s) or other material/information required to decrypt ciphertext.


TYPE I. TRUSTED THIRD PARTY KEY RECOVERY AGENTS FOR SUPPLEMENT 4 TO PART 742 PRODUCTS

Follow the instructions below if you are seeking approval as a Trusted Third Party for Supplement 4 to Part 742 products approved for License Exception KMI under Section 742.15(b)(2) of the EAR.

Information

Submit with your letter information addressing the following portions of Supplement 5 to EAR Part 742:

1. Key Recovery Agent Requirements

Include the specific information identified in paragraphs (1)(a), (5), (6), and (7). This information should include the location(s) where all KRA functions will be performed (include complete address).

2. Security Policies

Describe the specific policies you have established to satisfy the security policies in paragraphs (1) through (3).

Certifications

In addition to the information described above, include a certification that addresses the portions of Supplement 5 listed below. Remember that this certification should be signed by an officer of the company who has the authority to bind the company.

1. Key Recovery Agent Requirements

Your certification should specifically address the requirements of paragraphs (1)(b), (2), (3), and (4). Also certify that you will timely disclose to BXA the occurrence of any of the situtations described in paragraph (6).

2. Security Policies

Certify that you will timely disclose to BXA the occurrence of the situation described in paragraph (4).

3. Key Recovery Procedures

Certify that you will implement the procedures described in paragraphs (1) through (3).

Key Recovery Agent Disclosure Agreement (Optional)

Any information you provide to BXA in support of a request for approval as a KRA is treated confidentially by BXA. From time to time, we receive requests from potential exporters for the names of approved KRAs. We are unable to accommodate such requests because this information is also given confidential treatment by BXA. If you are approved as a KRA by BXA and you would like BXA to disclose certain information to exporters who inquire, send in writing to BXA, from an appropriate authorized individual, a letter which states that BXA may disclose your KRA identification number, the name and address of your company, your telephone number and/or e-mail address, and the name of a contact person. A sample letter is included.

Approval under the EAR based on Foreign Government Approval

If you are seeking approval as a KRA under the EAR based on an approval issued by a foreign government, you may submit evidence that the government of the country in which the KRA will operate has approved the KRA in accordance with that government's own KRA laws, regulations or guidelines. BXA may, but is not required to, accept this approval in lieu of the information and certifications listed above. If you submit this information in lieu of the information and certifications in the guidelines, BXA will inform you in a timely manner if this information is sufficient to approve you as a KRA under the EAR. If it is not sufficient, you must submit the information and certifications listed in these guidelines in order to obtain approval from BXA.

TYPE II. SELF-ESCROW KEY RECOVERY AGENTS FOR SUPPLEMENT 4 TO PART 742 PRODUCTS

Under the EAR, a KRA may be internal to a user's organization and may consist of one or more individuals. When an exporter's customer will self-escrow in the United States or abroad, with or without a legal obligation to the exporter, the customer must be approved by BXA. Follow the instructions below for self-escrowing entities requesting BXA approval as KRAs for Supplement 4 to Part 742 products approved for License Exception KMI under Section 742.15(b)(2) of the EAR.

Information

Submit with your letter information to satisfy the following portions of Supplement 5 to EAR Part 742:

1. The specific information identified in paragraph (1)(a) under I. Key Recovery Agent Requirements.

2. The location where keys or other material/information required to decrypt ciphertext will be kept (include complete address).

3. The name of the key recovery individual designated as a point of contact (POC) who will respond to legal requests for keys or other material/information required to decrypt ciphertext.

4. Information to demonstrate that the policies and procedures used by the self escrow agent will ensure that the criteria of paragraph (8), under I. Key Recovery Agent Requirments, will be met. The information submitted should address the following:

a. the confidentiality of the key(s) or other material/information required for decryption of ciphertext (including locks and personnel access restrictions) ;

b. the integrity of the database (including physical and electronic access controls);

c. the availability of the database (including system redundance, back-up capabilities, and multi-person control); and

d. the confidentiality of information concerning requests for, or provision of, key(s) or other material/information required to decrypt ciphertext, including the identity of the requestor.

Certifications

In addition to the information described above, include a certification that addresses the items listed below. Remember that this certification should be signed by an officer of the company who has the authority to bind the company.

1. A certification that the self escrowing entity has taken steps to determine the trustworthiness of key recovery personnel (e.g., criminal background check, credit check.)

2. A certification to satisfy paragraph (8) of I. Key Recovery Agent Requirements, that the self escrow KRA is structurally independent from the rest of the organization and the POC has the authority to respond to legal requests for key(s) or other material/information required to decrypt ciphertext, without further authorization from other officers of the company.

3. A certification that any changes to the information you submit or certifications you make will be promptly disclosed to BXA.

Approval under the EAR based on Foreign Government Approval

You may submit evidence that the government of the country in which the self-escrow KRA will operate has approved it in accordance with that government's own KRA laws, regulations or guidelines. BXA may, but is not required to, accept this approval in lieu of the information and certifications listed above. If you submit this information in lieu of the information and certifications in the guidelines, BXA will inform you in a timely manner if this information is sufficient to approve you as a KRA. If it is not sufficient, you must submit the information and certifications listed in these guidelines in order to obtain approval.

TYPE III. SELF-ESCROW KEY RECOVERY AGENTS FOR PRODUCTS APPROVED ON AN EXPORT LICENSE

Follow the instructions below for entities which use products exported under an export license issued by BXA under Section 742.15(b)(4) of the EAR subject to the following license condition:

The applicant must identify to BXA an individual by name, title and location, who has access or authority to obtain key(s) or other material/information required to recover information encrypted with the exported commodities.

The applicant must provide to BXA sufficient information to demonstrate that appropriate safeguards will be employed by the end user in handling recovery requests from government entities. These safeguards should ensure: the structural independence of the individuals/entity responsible for providing access to keys or other material/information from the rest of the organization, security and confidentiality.

Information

Include in your letter to BXA the following information:

1. The location where keys or other material/information required to decrypt ciphertext will be kept (include complete address).

2. The name of a key recovery individual designated as the point of contact (POC) who will respond to legal requests for keys or other material/information required to decrypt ciphertext.

3. The BXA export license number(s) of the products for which you will perform the key recovery function.

Certifications

In addition to the information described above, include a certification that addresses the items listed below. Remember that this certification should be signed by an officer of the company who has the authority to bind the company.

1. All key recovery personnel, including the POC, are structurally independent from the rest of the organization.

2. The POC has the authority to respond to legal requests for key(s) or other material/information required to decrypt ciphertext, without further authorization from any other officers of the company.

3. Appropriate safeguards will be employed in handling key recovery requests from government entities, and that these safeguards will assure the confidentiality, integrity, and availability of the keys or other material/information required for decryption of ciphertext.

4. Any changes to the information you submit or the certifications you make will be promptly disclosed to BXA.

5/29/98


Source: http://www.bxa.doc.gov/Encryption/disclose.htm

Sample Disclosure Letter



Patricia Sefcik
Director, Encryption Policy Controls Division
Bureau of Export Administration
U.S. Department of Commerce
14th St. and Constitution Ave.
Washington, D.C. 20230

Dear Ms. Sefcik:

On behalf of [company name], I authorize the Bureau of Export Administration to release the following information concerning my approval as a Key Recovery Agent (KRA):

a. The KRA identification number issued by BXA;

b. The name and address of the company;

[provide the name and address you would like us to use]

c. The following telephone numbers and/or e-mail addresses;

[list these here]

d. The contact point for the company.

[provide the contact person's name]

Sincerely,



Name
Title






























BXA counter