[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CryptoAPI and export question
Tom Johnston <[email protected]>:
At 06:07 PM 1/17/96 EST, you wrote:
>Two points: the CSP development kit is export-controlled; and signing a
>CSP developed by a foreign vendor is treated as a export -- so the signature
>is export-controlled.
>
>We would ship a CSP development kit to a foreign vendor, and sign a CSP
>developed by the foreign vendor, but only with the appropriate export licenses.
Thanks for your reply to Dr. Vulis's question. I'd recommend examining this
policy somewhat critically, for a couple of reasons:
1) Development kits are useful, but if you've got an open, documented
interface, it's possible to develop code to use it without the kit.
(Ignoring, of course, the risk of smuggling. :-)
2) By "is treated as an export", do you mean by explicit government policy,
or by Microsoft? Digital signatures and encrypted documents are perfectly
legal to export, as is authentication code to make digital signatures.
3) Consider the case of a contractor who buys the development kit,
and gives you code to sign. You have no way to differentiate between
code that he developed himself, and code developed by some foreign
company that hired him and gave him the code (which is legal to import
into the US.) He probably can't legally re-export the code, or export
the signed version of it, but he can export the signature itself,
since that's not cryptographic code, and the foreign company can
reattach it to their original document, which you have now signed....
#--
# Thanks; Bill
# Bill Stewart, [email protected], Pager/Voicemail 1-408-787-1281
#
# "Eternal vigilance is the price of liberty" used to mean us watching
# the government, not the other way around....