28 March 1999. Thanks to Pete Kaiser for translation of official publication in French (URLs below).

4050 OFFICIAL JOURNAL OF THE REPUBLIC OF FRANCE 19 March 1999

Decrees, rulings, circulars

GENERAL TEXTS

PRIME MINISTER

Decree number 99-199 of 17 March 1999 defining the categories of cryptologic devices and services for which the procedure of prior declaration is substituted for that of authorization.

NOR: PRMX9903476D

The Prime Minister,

Considering the (EC) Council's rule number 3381/94 dated 19 December 1994 modified, instituting public requirements to control the exportation of double-use devices, notably its article 2;

Considering directive 98/34/CE of the European Parliament and Council dated 22 June 1998, modified by directive 98/48/CE of the European Parliament and Council dated 20 July 1998 envisaging an information procedure in the realm of technical standards and regulations, and rules concerning the services of the information society;

Considering law number 90-1170 of 29 December 1990 modified on the regulation of telecommunications, notably its article 28;

Considering decree number 98-101 of 24 February 1998 defining the conditions under which declarations are recorded and authorizations are given concerning cryptologic devices and services, notably its article 4;

Decrees:

Art. 1: - For each of the categories of cryptologic devices and services which figure in the first column of the table annexed to this decree, the operations for which the procedure of prior declaration is substituted for that of authorization are indicated in the second column of the same table.

Art. 2: - Decree number 98-207 of 23 March 1998, defining the categories of cryptologic devices and services for which the procedure of prior declaration is substituted for that of authorization, is repealed.

Art. 3: - This decree will be published in the Official Journal of the Republic of France.

Done in Paris, 17 March 1999.

LIONEL JOSPIN

A N N E X

DEVICES OR SERVICES OPERATIONS (*)
for which a
declaration
substitutes for
authorization

1.
Devices or software offering a service of confidentiality carried out by an algorithm whose key is of length less than or equal to 40 bits.
P

2.
Devices or software offering a service of confidentiality carried out by an algorithm whose key is of length greater than 40 bits and less than or equal to 128 bits.
P, U, I (1)

3.
Equipment designed or modified to use cryptology based on analog techniques such as

a)
Equipment using techniques of "fixed" frequency mixing with no more than 8 frequencies and where the transposition changes happen no more than once per second;
b)
Equipment using techniques of of "fixed" frequency mixing with more than 8 frequencies and where the transposition changes happen no more than once each ten seconds;
c)
Equipment using "fixed" frequency inversion and where the transposition changes happen no more than once per second;
d)
Facsimile equipment;
e)
Radio broadcast equipment for restricted reception;
f)
Civil television broadcast equipment.

P

(1) Use and importation are not subject to declaration unless they concern a device or software which has not been previously declared by the producer, supplier, or importer, and if the said device or said software is not destined exclusively for the private use of a natural person.
(*) P: provide; U: use; E: export; I: import.

19 March 1999

OFFICIAL JOURNAL OF THE REPUBLIC OF FRANCE

4051

Decree number 99-200 of 17 March 1999 defining the categories of cryptologic devices and services dispensed from all prior formality.

NOR: PRMX9903477D

The Prime Minister,

Considering the (EC) Council's rule number 3381/94 dated 19 December 1994 modified, instituting public requirements to control the exportation of double-use devices, notably its article 2;

Considering law number 90-1170 of 29 December 1990 modified on the regulation of telecommunications, notably its article 28;

Decrees:

Art. 1: - For each of the categories of cryptologic devices and services which figure in the first column of the table annexed to this decree, the operations dispensed from all prior formality are indicated in the second column of the same table.

Art. 2: - Decree number 98-206 of 23 March 1998, defining the categories of cryptologic devices and services dispensed from all prior formality, is repealed.

Art. 3: - This decree will be published in the Official Journal of the Republic of France.

Done in Paris, 17 March 1999.

LIONEL JOSPIN

A N N E X

DEVICES OR SERVICES OPERATIONS (*)
dispensed
from all prior
formalities

1.
Devices or software offering a service of confidentiality carried out by an algorithm whose key is of length less than or equal to 40 bits.
U, I

2.
Devices or software offering a service of confidentiality carried out by an algorithm whose key is of length greater than 40 bits and less than or equal to 128 bits under the condition that either the said devices or software have previously been subject to a declaration by their producer, a supplier, or an importer; or that the said devices or software are destined exclusively for the private use of a natural person.
U, I

3.
Equipment designed or modified to use cryptology based on analog techniques such as

a)
Equipment using techniques of "fixed" frequency mixing with no more than 8 frequencies and where the transposition changes happen no more than once per second;
b)
Equipment using techniques of of "fixed" frequency mixing with more than 8 frequencies and where the transposition changes happen no more than once each ten seconds;
c)
Equipment using "fixed" frequency inversion and where the transposition changes happen no more than once per second;
d)
Facsimile equipment;
e)
Radio broadcast equipment for restricted reception;
f)
Civil television broadcast equipment.

U, E, I

4.
Personalized microprocessor cards, or their specially designed components, incapable of encrypting message traffic or data supplied by their user or their associated key-management service.
P, U, E, I

5.
Mass-market television reception equipment without the capacity for digital encryption, or where digital decryption is limited to the video, audio, or management functions.
P, U, E, I

6.
Portable or mobile radiotelephones destined for civilian use which do not perform end-to-end encryption.
P, U, E, I

7.
Mass-market component digital videodisc players without the capacity of encryption, or where decryption is limited to the video, audio, information-processing, and management functions.
P, U, E, I

8.
Hardware or software methods specially designed to protect software against copying or illicit use, whose decryption functions are not accessible to the user.
P, U, E, I

9.
Access control equipment, such as automatic banknote distributors, self-service account statement printers or point of sale terminals, protecting passwords, personal identification numbers or other similar data preventing unauthorized access to such equipment, but not permitting the encryption of files or text, except when this is directly bound to the protection of passwords or personal identification numbers.
P, U, E, I

10.
Devices or services designed to protect passwords, personal identification codes, or similar authentication data used to control access to data, resources, services, or locations, subject to the condition that they not permit encryption except of files of passwords or identification codes and the information necessary for access control.
U, E, I

11.
Devices or services designed to carry out or protect a signature procedure, a cryptographic control value, a message authentication code or similar information, to verify the source of data, provide proof of origin to the recipient, or to detect surreptitious alterations or modifications bearing on the integrity of the data; except that they may permit the encryption only of the information necessary for authentication or an integrity check of the data concerned.
U, E, I

12.
Billing systems included in the operations of counters whose encryption functions are bound directly to the counting.
P, U, E, I

13.
Equipment capable of encryption accompanying foreign persons officially invited by the State.
U, E, I

14.
Commercial civil cellular radiocommunication base stations with all the following characteristics:

a)
Limited to radiotelephones which do not permit the application of cryptographic techniques to message traffic between mobile terminals, except on the links between radiotelephones and base stations (known as the radio interface);
b)
And not permitting the application of cryptographic techniques to message traffic except over the radio interface.

P, U, I

(*) P: provide; U: use; E: export; I: import.

4052

OFFICIAL JOURNAL OF THE REPUBLIC OF FRANCE

19 March 1999

Ruling of 17 March 1999 defining the form and contents of the file concerning declarations or requests for authorization related to cryptologic devices and services

NOR: PHMX9903475A

The Prime Minister,

Considering law number 90-1170 of 29 December 1990 modified on the regulation of telecommunications, notably its article 28;

Considering decree number 98-101 of 24 February 1998 defining the conditions under which declarations are registered and authorizations concerning cryptologic devices and services are given, notably its articles 5, 10 et 13,

Rules:

Art. 1 - The dossier of declaration, or requesting authorization concerning a cryptologic device or service, consists of administrative part and a technical part.

The administrative part comprises a declaration or a request for authorization conforming to the model attached to this ruling, in three copies.

The technical part comprises a description conforming to the model attached to this ruling, in three copies. Accompanying this part are two examples of the device concerned; or, for software, one example.

Dossiers filed under the framework of the simplified declaration procedure envisaged in article 9 of the decree of 24 February 1998 mentioned above, as well as those filed for renewal of an authorization, are not included in the technical part. This is replaced by an undertaking written by the person filing the dossier, certifying either that the impossibility for the device or service to assure confidentiality functions does not result simply from a keying procedure, or that the technical characteristics of the device or service are unchanged with respect to the description given in the technical part of the dossier filed when the authorization was first granted.

Art. 2. - Any change that alters the contents of the dossier of declaration or request for authorization must be brought to the attention of the central service of information systems security at least a month in advance.

Art. 3. - The ruling of 13 March 1998, defining the form and contents of the dossier concerning declarations or requests for authorization relating to cryptologic devices and services, is repealed.

Art. 4. - The Secretary General of national defense is charged with enforcement of this ruling, which will be published in the Official Journal of the Republic of France.

Done in Paris, 17 March 1999

LIONEL JOSPIN

A N N E X

PRIME MINISTER

CENTRAL SERVICE OF
INFORMATION SYSTEMS SECURITY

18, rue du Docteur-Zamenhof, 92131 Issy-les-Moulineaux Cedex
(telephone: 01-41-46-37-00, Fax: 01-41-46-37-01)

Dossier number (*): ............................

Declaration/Request for authorization
concerning a cryptologic device or service

ADMINISTRATIVE PART

Check the corresponding box or boxes:

[ ] Declaration

[ ] simplified

[ ] of supplying

[ ] for general use

[ ] for export

[ ] of importation from: .........................

[ ] of personal use

[ ] Request for authorization

[ ] of supplying for a period of: .................... (five years maximum) a device or a service which uses only those secret protocols managed by an authorized person or organization

[ ] of supplying for a period of: .................... (five years maximum)

[ ] for general use

[ ] for collective use

[ ] of exportation for a period of .................... (five years maximum)

[ ] of importation from: ..............................

[ ] of personal use for a period of .................... (ten years maximum)

________________
(*) Reserved to the Administration.

A. - Person making the declaration or requesting authorization

A.1. Company

Name: .................................................................
Type of company: ..................................................
Nationality: ......................................................
SIRET number: .....................................................
Address: ..........................................................
...................................................................
Telephone number: .................................................
Fax number: .......................................................
Electronic mail address: ..........................................

Person responsible for the administrative dossier

Name and forenames: ...................................................
Address: ..........................................................
...................................................................
Telephone number: .................................................
Fax number: .......................................................
Electronic mail address: ..........................................

A.2. Private individual

Name and forenames: ...................................................
Address: ..........................................................
Telephone number: .................................................
Electronic mail address: ..........................................

B. - Complete as appropriate below

B.1. Request for authorization to provide a cryptologic device or service which uses secret methods managed by an authorized organization

Reference of the registered organization(s): .............
...................................................................
...................................................................

B.2. Request for authorization to provide for collective use

Applicable categories for the users for whom the device or service is intended:

[ ] Agencies (specify): ..............................

[ ] Large enterprises (specify type of activity): ..............................

[ ] Credit businesses: ..............................

[ ] Small and medium enterprises (specify type of activity): ..............................

[ ] Other (specify, with type of activity): ..............................

B.3. Request for authorization for personal use

Needs justifying the request: .........................................
...................................................................
...................................................................

Places of use of the cryptologic means: ...............................
...................................................................
...................................................................

19 March 1999

OFFICIAL JOURNAL OF THE REPUBLIC OF FRANCE

4053

If necessary, telecommunications networks employed: ...................
...................................................................
...................................................................

C. - Device or service to which the declaration or request for authorization applies

C.1. Cryptologic device or service

Commercial reference: .................................................
Constructor's reference: ..........................................
Version: ..........................................................
Brief description: ................................................
...................................................................
...................................................................

Device registration reference if has been submitted to the Minister of Telecommunications: ...................................................

C.2. Manufacturer of the device or provider of the service

Name: .................................................................
Type of company: ..................................................
Address: ..........................................................
...................................................................
Telephone number: .................................................
Fax number: .......................................................
Electronic mail address: ..........................................

C.3. Person responsible for the technical dossier

C.4. Miscellany

If the device or service uses devices or services previously declared or authorized, specify for each their identification, reference, and date of notification of the declaration or authorization:
..................................................................
...................................................................

C.5. Cryptologic services provided

[ ] Authentication (*): ..............................

[ ] Access control (*): ..............................

[ ] Signature (*): ..............................

[ ] Integrity (*): ..............................

[ ] Confidentiality (*): ..............................

[ ] telephone

[ ] fax

[ ] messaging

[ ] transmission of data (specify the type(s) of data encrypted, for example financial, medical, management, ....): ..............................

[ ] other (specify): ..............................

[ ] Other (specify) (*): ..............................

C.6. Installation of algorithms

[ ] Software

[ ] Hardware (specify): ..............................

________________
(*) Specify the name(s) of the algorithm(s) used.

D. - Attestation

I, the undersigned (name, forenames) .................................... acting in my capacity as ....................................................... representative of the provider - exporter - importer - user (*) certify that the information in this declaration - request for authorization (*) is true and has been determined in good faith, any false declaration or any omission from the information provided exposing me to the penalties envisaged by article 28 of law 90-1170 of 29 December 1990 modified and by decree number 98-101 of 24 February 1998.

Date: ...................................................................

Signature:

________________
(*) Cross out inapplicable cases.

TECHNICAL PART

To attach to the dossier of declaration or request for authorization concerning cryptologic devices and services (1)

The technical part comprises the following information:

The product's commercial reference:

name;
version number;

The general description of the product, the user manual;

The description of the services offered by the product;

The description of the cryptologic functions offered by the product (encryption, signature, key management):

Either a complete description of the cryptologic procedures employed, in the form of a mathematical description and a simulation in a high-level language such as C or Pascal, or the reference to a previously filed dossier for a product using the same cryptologic procedure, or reference to a clear recognized standard whose technical details are easily and unconditionally accessible.

The description of key management carried out by the device, including at least

the method of distribution;
the procedure of key generation;
the format in which keys are held, if this is done;
the format in which keys are transmitted, if this is done;

The description of technical measures carried out to prevent changes in the encryption procedure or associated key management (2);

The description of pre-treatment of clear data before their encryption (compression, formatting, addition of a header, etc.);

The description of post-treatment of encrypted data after their encryption (addition of a header, formatting, packetizing, etc.).

________________

(1): In accordance with the third paragraph of article 1 of the ruling above, the technical part must be accompanied by two examples of the device concerned, or by one example of the software concerned.
(2): To be supplied only in case of a request for authorization.

Document	Original text	Page images
Decree 99-199	http://www.internet.gouv.fr/francais/textesref/cryptodecret99199.htm	http://tif.journal-officiel.gouv.fr/1999/04050001.tif
Decree 99-200	http://www.internet.gouv.fr/francais/textesref/cryptodecret99200.htm	http://tif.journal-officiel.gouv.fr/1999/04051001.tif
Ruling	http://www.internet.gouv.fr/francais/textesref/cryptoarrete4.htm	http://tif.journal-officiel.gouv.fr/1999/04052ALL.tif

The four official TIFF images are available in a Zipped file: http://jya.com/decrets-tif.zip (365K)

HTML by JYA/Urban Deadline, and Pete Kaiser kaiser@acm.org;
translation by Pete Kaiser. Report errata to jy@jya.com

DEVICES OR SERVICES	OPERATIONS (*) for which a declaration substitutes for authorization
1. Devices or software offering a service of confidentiality carried out by an algorithm whose key is of length less than or equal to 40 bits.	P
2. Devices or software offering a service of confidentiality carried out by an algorithm whose key is of length greater than 40 bits and less than or equal to 128 bits.	P, U, I (1)
3. Equipment designed or modified to use cryptology based on analog techniques such as a) Equipment using techniques of "fixed" frequency mixing with no more than 8 frequencies and where the transposition changes happen no more than once per second; b) Equipment using techniques of of "fixed" frequency mixing with more than 8 frequencies and where the transposition changes happen no more than once each ten seconds; c) Equipment using "fixed" frequency inversion and where the transposition changes happen no more than once per second; d) Facsimile equipment; e) Radio broadcast equipment for restricted reception; f) Civil television broadcast equipment.	P
(1) Use and importation are not subject to declaration unless they concern a device or software which has not been previously declared by the producer, supplier, or importer, and if the said device or said software is not destined exclusively for the private use of a natural person. (*) P: provide; U: use; E: export; I: import.

DEVICES OR SERVICES	OPERATIONS (*) dispensed from all prior formalities
1. Devices or software offering a service of confidentiality carried out by an algorithm whose key is of length less than or equal to 40 bits.	U, I
2. Devices or software offering a service of confidentiality carried out by an algorithm whose key is of length greater than 40 bits and less than or equal to 128 bits under the condition that either the said devices or software have previously been subject to a declaration by their producer, a supplier, or an importer; or that the said devices or software are destined exclusively for the private use of a natural person.	U, I
3. Equipment designed or modified to use cryptology based on analog techniques such as a) Equipment using techniques of "fixed" frequency mixing with no more than 8 frequencies and where the transposition changes happen no more than once per second; b) Equipment using techniques of of "fixed" frequency mixing with more than 8 frequencies and where the transposition changes happen no more than once each ten seconds; c) Equipment using "fixed" frequency inversion and where the transposition changes happen no more than once per second; d) Facsimile equipment; e) Radio broadcast equipment for restricted reception; f) Civil television broadcast equipment.	U, E, I
4. Personalized microprocessor cards, or their specially designed components, incapable of encrypting message traffic or data supplied by their user or their associated key-management service.	P, U, E, I
5. Mass-market television reception equipment without the capacity for digital encryption, or where digital decryption is limited to the video, audio, or management functions.	P, U, E, I
6. Portable or mobile radiotelephones destined for civilian use which do not perform end-to-end encryption.	P, U, E, I
7. Mass-market component digital videodisc players without the capacity of encryption, or where decryption is limited to the video, audio, information-processing, and management functions.	P, U, E, I
8. Hardware or software methods specially designed to protect software against copying or illicit use, whose decryption functions are not accessible to the user.	P, U, E, I
9. Access control equipment, such as automatic banknote distributors, self-service account statement printers or point of sale terminals, protecting passwords, personal identification numbers or other similar data preventing unauthorized access to such equipment, but not permitting the encryption of files or text, except when this is directly bound to the protection of passwords or personal identification numbers.	P, U, E, I
10. Devices or services designed to protect passwords, personal identification codes, or similar authentication data used to control access to data, resources, services, or locations, subject to the condition that they not permit encryption except of files of passwords or identification codes and the information necessary for access control.	U, E, I
11. Devices or services designed to carry out or protect a signature procedure, a cryptographic control value, a message authentication code or similar information, to verify the source of data, provide proof of origin to the recipient, or to detect surreptitious alterations or modifications bearing on the integrity of the data; except that they may permit the encryption only of the information necessary for authentication or an integrity check of the data concerned.	U, E, I
12. Billing systems included in the operations of counters whose encryption functions are bound directly to the counting.	P, U, E, I
13. Equipment capable of encryption accompanying foreign persons officially invited by the State.	U, E, I
14. Commercial civil cellular radiocommunication base stations with all the following characteristics: a) Limited to radiotelephones which do not permit the application of cryptographic techniques to message traffic between mobile terminals, except on the links between radiotelephones and base stations (known as the radio interface); b) And not permitting the application of cryptographic techniques to message traffic except over the radio interface.	P, U, I
(*) P: provide; U: use; E: export; I: import.

[ ]		simplified
[ ]		of supplying
		[ ] for general use
		[ ] for export
[ ]		of importation from: .........................
[ ]		of personal use

[ ]		of supplying for a period of: .................... (five years maximum) a device or a service which uses only those secret protocols managed by an authorized person or organization
[ ]		of supplying for a period of: .................... (five years maximum)
		[ ] for general use
		[ ] for collective use
[ ]		of exportation for a period of .................... (five years maximum)
[ ]		of importation from: ..............................
[ ]		of personal use for a period of .................... (ten years maximum)

[ ]	Agencies (specify):	..............................
[ ]	Large enterprises (specify type of activity):	..............................
[ ]	Credit businesses:	..............................
[ ]	Small and medium enterprises (specify type of activity):	..............................
[ ]	Other (specify, with type of activity):	..............................

[ ]	Authentication (*):	..............................
[ ]	Access control (*):	..............................
[ ]	Signature (*):	..............................
[ ]	Integrity (*):	..............................
[ ]	Confidentiality (*):	..............................
	[ ] telephone
	[ ] fax
	[ ] messaging
	[ ] transmission of data (specify the type(s) of data encrypted, for example financial, medical, management, ....):	..............................
	[ ] other (specify):	..............................
[ ]	Other (specify) (*):	..............................

[ ]	Software
[ ]	Hardware (specify):	..............................