[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: exporting signatures only/CAPI (was Re: Why not PGP?)
>Jim Bell <[email protected]> writes:
>> At 08:49 AM 10/11/96 +0100, Adam Back wrote:
>> > [...]. Microsoft's CAPI arrangement is that they will not
>> > sign non-US CAPI compliant crypto modules (Examples of enforcement of
>> > no-hooks interpretation).
>>
>> Does that fix the "export only the signature" problem (for the
>> government)/opportunity (for the rest of us)? You know, present Microsoft
>> with the software, don't tell them it's already out of the US, and they sign
>> it. Export the signature only (who cares if this is legal!) and edit the
>> international software to contain the signature.
>
>Export the lot, signature included :-)
>
>(I doubt exporting only the signature once the story came out would
>offer you any more protection legally than exporting the software).
>
>As you say who cares if it's illegal: things get exported all the
>time.
>
>The problem however, is finding a non-US site to hold the hot potato
>once it has been exported. For example 128 bit Netscape beta was
>exported a while ago. I don't see it on any non-US sites. This is
>due to Netscape's licensing requirements, you need a license to be a
>netscape distribution site, the license doesn't include the right to
>mirror non-exportable versions on non-US sites.
>
That's one good application for remailers, and .warez newsgroups. at.
>If the exported software is `PGP3.0 for CAPI' or whatever, I think it
>should be fair to conclude it will be cheerfully mirrored by all, and
>Phil Zimmermann won't be complaining. (PGPfone is on ftp.ox.ac.uk,
>plus other places, for example.) So yes, I agree, for software with
>appropriate distribution licenses.
>
>Another approach, which has been discussed lately is the use of a
>patch to usurp Microsoft as the signatory for CAPI modules. I wonder
>what Microsoft would say about an unauthorised patch, to fix an ITAR
>induced `bug' in windows. Bill Gates doesn't sound pro-GAK. If they
>aren't going to complain, perhaps such patches could be distributed
>widely outside the US also.
>
>The new owner of the CAPI signatory key would need a good reputation,
>and presumably a policy of signing any (non-GAKked) CAPI modules
>signed by microsoft, and anything else that anyone wants signed.
>
An excellent suggestion.