US export regulation changes and their effects on Notes and Domino.
What is the new US export regulation?
On January 15, the U.S. Government relaxed export restrictions on the worldwide shipment of strong encryption (defined as 128 bit support). Software eligible for US export is classified into one of two categories: „Non-Retail“ software can be shipped worldwide, except to foreign governments, and „Retail“ can be shipped worldwide to any customer, including foreign governments.
In order to attain a Retail status for release 5.0.4, the first „Global“ release, US export regulations require a one time application, review and approval process prior to shipment to international governments and their agencies. Lotus has received this status. The US Government granted Lotus non-Retail and Retail status for Lotus Notes and Domino R4 and R5, Lotus QuickPlace 1.x and Lotus Sametime 1.x.
What impact will this have for Lotus?
The implication to Lotus and its customers is that worldwide shipment of stronger encryption is now permitted. Customers will no longer be required to order and choose between 6 kits (North American, North American Canadian French, International English, International English for France , French for France, and French) of different cryptographic strength. Notes/Domino release 5.0.4 meets this new strong encryption standard.
Any R4 or R5 North American Edition is immediately available to commercial, individual and foreign government customers worldwide (retail status, which Lotus has obtained, makes it possible to ship to foreign governments), with the exception of the seven prohibited countries. (Currently, the seven prohibited countries are Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria).
These regulations pertain only to export from the United States. For other countries with import regulations, (e.g. France, China, etc.) customers will need to check the requirements of the specific country. Lotus is in the process of applying for permission to ship release 5.0.4 to France and China. While Lotus takes all steps to ensure acquiescence with governmental encryption regulations worldwide, Lotus recommends that customers familiarize themselves with local encryption regulations to remain in compliance.
What does this mean to an existing administration scheme?
From the customer perspective, there is:
- A higher level of security on both Notes and web protocols for international companies
- The ability for a company to purchase one kit and deploy it worldwide
- A reduction in time to administer, deploy and train
Are Lotus Notes and Domino users able to retain their current international ID?
As long as the new software is installed, Lotus Notes users can keep their existing International ID. The new software will automatically allow the use of stronger encryption.
Browser users can keep their existing key ring, but users must follow the manufacturer’s recommendations for upgrading the browser to stronger encryption.
How will interoperability work with older releases?
Lotus Notes users as well as Domino servers which have been upgraded to release 5.0.4 can authenticate and continue day-to-day operations securely with clients and servers running on earlier releases of software.
What if a company decides to remain at a release prior to the stronger release?
International customers who choose to continue using weaker encryption can remain at 5.0.3 (or earlier) or 4.6.7 (or earlier). Should they decide to upgrade only a portion of the clients and servers, they will still interoperate with older releases.
Why hasn’t the "Register New User" Dialog changed?
- Given that Administrators use the North American or International distinction for administration purposes, few changes were made to the Graphical User Interface (GUI). The dialog still presents a choice between North American and International.
- Countries have their own import rules. By preserving this distinction it will allow Lotus to respond to specific country changes if required.
How can I identify the new release?
Choose File – Tools – User ID. The description for „Software“ should be "Global".
Why not change R4.x?
The R5 family and beyond is the strategic direction for Lotus Notes and Domino. Lotus has no plans for additional Quarterly Maintenance Releases post R4.5.7 and R4.6.7 code streams; only Quarterly Maintenance Updates (QMU’s) are planned for these respective releases. Lotus Notes and Domino release plans for Q1 and Q2 2000 are available at http://www.notes.net.
How long will Lotus support prior releases of R5.x international after release 5.0.4?
Lotus will provide support for all R5.x international releases, regardless of the encryption scheme, until Lotus publicly issues an End of Life (EOL) statement outlining plans to end support for a release(s).
Today, North American software may be used worldwide, but users utilizing international IDs will automatically negotiate down to a lower level of encryption. The only way to use the higher level encryption prior to release 5.0.4 is to use the North American release and to create a North American ID. This is now allowed by U.S. law.
What strength encryption does Lotus Notes and Domino support with release 5.0.4?
Anything over 512 bit RSA key and 56 bit symmetric key is considered strong encryption and was previously not allowed for export. With the availability of release 5.0.4, the Notes client and Domino will support 1024 bit RSA key and 128 bit symmetric key for S/MIME and SSL. The Notes proprietary protocols will use a 630 bit key for key exchange, and a 64 bit symmetric key.
Summary of Keys and Encryption for release 5.0.4
- 1024 bit RSA key in the web protocols (SSL and S/MIME)
- 128 bit encryption (SSL and S/MIME)
- 630 bit RSA key for Notes protocols *
- 64 bit encryption in the Notes protocols (mail, doc encryption, session encryption, etc)
* For International IDs, 630 bit encryption will be used for port encryption. International ID encryption for Notes Mail will remain at the 512 bit encryption strength for R5.0.4. Plans call for international ID mail encryption to achieve 630 bit strength in a future R5 release.
How do I migrate to stronger crypto?
When you upgrade to release 5.0.4, stronger cryptography will be used without a requirement to reissue existing IDs. These changes are seamless to users as well as administrators. When two different versions of software are communicating, the encryption negotiation will result in a step-down to the weaker level. Therefore, the full benefits of stronger encryption will only be realized when all software has been upgraded to the release 5.0.4 level. However, any mixed versions of the software will interoperate.
If users are accessing Domino from a Web client, in order to take advantage of stronger crypto, customers need to install release 5.0.4 on the Domino server and obtain a browser capable of strong encryption. Even using a 512 bit key ring, Domino Servers running release 5.0.4 will negotiate strong session encryption (ie, 128 bit RC4 or TripleDES).
However, to take best advantage of the relaxation of regulations, customers should obtain a new 1024 bit key pair for their Domino server. For third party browsers, follow the manufacturer’s recommendations for upgrading to stronger encryption.