[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using PGP only for digital signatures

Pop Quiz: If you are a citizen of the U.S., prove it.

At 11:33 PM 11/4/95, Simon Spero wrote:
>On Sat, 4 Nov 1995, Derek Atkins wrote:
>> student from coming to the US.  By allowing the student into the US,
>> the gov't is implicitly giving them the right to use PGP within the
>> US.
>This is kind of a risky policy to take. The general feeling I get that
>allowing non green-card holders access to strong cryptography is sort of
>decriminalised, in that the police aren't likely to break down your door
>and have your AFS server accidentaly fall down stairs. However, it is
>still against the law, and could be used against the university in other
>unrelated circumstances.
>It seems that licences allowing foreign nationals access to cryptographic
>software within the US are pretty easy to get, and especially for
>something like PGP on a central machine.

We really need to put this one to bed.

As has been said several times recently, for the purposes of law, non-U.S.
citizens who reside in the U.S are effectively "U.S. persons." Subject to
U.S. law and generally having the same legal rights. (Can't vote. Can be
drafted. Must pay taxes. Must have a SSN. Must obey traffic laws. Must not
discriminate against the differently clued, etc.)

All of the nonsense about wearing a "munitions shirt" in front of a
"foreigner" seems to miss this essential point.

Ditto for PGP use.

Consider this: most people in the U.S. do not have a "credential" that
shows them to be U.S. citizens. (Hint: most people in the U.S. do not have
passports.) They have driver's licenses, which say nothing about
citizenship (at least California and Virgina licenses do not). Social
Security cards are the same.

(Second hint: most people are hard-pressed to locate a birth certificate
for themselves. Many people take the easy way out and simply buy a new one
for the $25 a good one costs.)

Therefore, there are few ways that citizenship can be "checked." Period. A
foreigner who wishes to "prove" his non-U.S. status could, of course, show
his green card. But this is different from proving citizenship.

As to the USF--or was it SFSU?--student worried about "allowing" PGP to be
used...I despair at this outlook. Why not simply ignore the issue, not
"give" them PGP, but instead have a few pointers to where PGP may be

As to the point about students impersonating faculty, if the faculty starts
signing their messages (doubtful), then no one can impersonate _them_.
(Except that it sounds like all this PGP stuff is to happen on campus
computers, in which case there are several ways their private keys and
passphrases can be snarfed.) The issue of a "credential" for faculty
members, something that says "This person is a member of the Foo U.
faculty," well, this is a different kettle of fish; such credentials are
not part of the PGP system, though webs of trust could in principle be used
in a klugey kind of way.

--Tim May

Views here are not the views of my Internet Service Provider or Government.
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."