436. What do Secure Socket Layers (SSLs), listed in the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications, encompass?
SSLs, as described in category (11) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications (“31 CFR § 560.540 List”) encompass “provisioning and verification software for Secure Socket Layer (SSL) certificates designated EAR99 or classified under ECCN 5D992.c, and services necessary for the operation of such software.” Additional provisioning and verification software not subject to the EAR may be included under 31 CFR § 560.540’s authorization for, in relevant part, software not subject to the EAR that is exported, reexported, or provided, directly or indirectly, by a U.S. person located outside the United States, that is of a type described in the 31 CFR § 560.540 List, provided that it would be designated as EAR99 or would...
* FAQ amended on 5-16-24 in connection with OFAC’s incorporation of Iran GL D-2 into the ITSR at section 560.540. Changes to the FAQ included certain non-substantive conforming amendments, along with language adding “provided” to “software not subject to the EAR that is exported, reexported, or provided, directly or indirectly, by a U.S. person located outside the United States.” This looks like a clarifying amendment rather than a substantive change. If a U.S. person located in France provides EAR99 software to a person in France that is ordinarily resident in Iran, this is an “exportation” to Iran for 560.204 purposes, but the term “provides” leaves no doubt that an intra-country transfer of that sort qualifies for the GL.
* On 9-23-22, OFAC replaced Iran GL D-1 with Iran GL D-2, initially without making amendments to this FAQ. See Iran GL...