Re: Use of PGP as an export?

[tien@well.sf.ca.us (Lee Tien)]

Actually, the ITAR contains specific provisions for "defense services," and
it is possible to "export" "defense services."  

Lee Tien

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sat, 02 Dec 1995 19:24:24 -0800
Subject: Re: Use of PGP as an export?

At 09:09 PM 12/2/95 -0800, Ted Cabeen <cabeen@netcom.com> wrote:
>I think this has been brought up before, but I could only find one reference
>to it in the archives and it wasn't too helpful, so I'll ask again.  If a
>university provided a copy of PGP for use on their unix machines and a
>non-resident, non-citizen *used* the copy of PGP on the server, but did not
>download it onto their own machine, but instead just ran PGP on the server
>alone, would it be a violation of the ITAR?  My school is interested in
>putting a copy of PGP on the university server and wants to know if they
>should somehow restrict access to citizens and legal residents only.  Thanks.

That's not giving technical data to the foreigner, that's providing a service;
the ITAR doesn't seem to restrict that.  It's not an especially secure way to
operate, but that's an inherent problem with multi-user systems or file servers.
One way to implement it that would be only mildly insecure would be to put PGP
on a file server, with execute-only permissions; users of client machines
still could be attacked by somebody faking out NFS, but they wouldn't have
to send their passphrases across the net the way they would in a telnet session.
#--
#                               Thanks;  Bill
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281

Lee Tien
Attorney
tien@well.sf.ca.us
(510) 525-0817 voice
(510) 525-3015 fax