[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why not PGP?

To: [email protected]
Subject: Re: Why not PGP?
From: Adam Back <[email protected]>
Date: Fri, 11 Oct 1996 08:49:52 +0100
CC: [email protected], [email protected]
In-reply-to: <[email protected]> ([email protected])
Sender: [email protected]

Bill Frantz <[email protected]> writes:
> >2. Suppose someone writes a program Z that has no expicit crypto code in
> >it, but has hooks for installing one or another version of PGP. Given a
> >copy of Z, someone in this country could install PGP he got from MIT,
> >whereas someone in Europe could install the international version.
> >Would export of Z violate ITAR restrictions?
> 
> Yes

I agree.  However let me elaborate for Rollo: with ITAR there are at
least three aspects:

- what ITAR says

  It says for instance that you can not _talk_ to a foreign national in
  the US about crypto, that you can not show them books, that you can
  not export books etc.  We know this is not enforced (they tried it a
  few times and gave up).  We know books are allowed to be exported,
  examples: Bruce Schneier's Applied Crypto (crypto source code, never
  mind technical descriptions, which ITAR says are illegal to export
  or disclose to foreigners "Disclosing (including oral or visual
  disclosure)" Phil Zimmermann/MIT's PGP source code and internals
  book, the full source code to PGP itself in an OCR font) They don't
  enforce books or discussions anymore because of the clear 1st
  ammendment case against this behaviour.

- and what the NSA, and US government care to interpret ITAR as
  meaning today (they change to suit the case at hand, keeping their
  interpretation purposefully vague)

- what they care to enforce

  NCSA Mosaic had a PGP signature checking hook, they were told to
  take it out.  Microsoft's CAPI arrangement is that they will not
  sign non-US CAPI compliant crypto modules (Examples of enforcement of
  no-hooks interpretation).

  emacs mailcrypt is exported form the US (Emacs RMAIL/GNUS interface
  to PGP - just plug in pgp263i or mit pgp262, an example of
  non-enforcement of no-hooks interpretation)

Adam
--
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

References:
- Re: Why not PGP?
  - From: [email protected] (Bill Frantz)

Prev by Date: Re: AW: Binding cryptography - a fraud-detectible alternative to key-esc
Next by Date: Re: Why not PGP?
Prev by thread: Re: Why not PGP?
Next by thread: Re: Why not PGP?
Index(es):
- Date
- Thread