Re: software with "hooks" for crypto

[Howard Melman <melman@osf.org>]

On Wed Apr 3, 1996, John Deters wrote:

> At 02:31 PM 4/2/96 -0800, you wrote:
> >Hello all,
> >
> >I'm trying to figure out exactly what the laws are regarding the export of
> >software which contains "hooks" for PGP.  In various forms, I've heard
> >that it's not the ITAR which prevents this, but more a "suggestion" by
> >the NSA that we "shouldn't do it."  Does anyone have any pointers to
> >real legislation/laws regarding this?
> 
> There are a number of "PGP Helpers" (If this is Tuesday, it must be PGP) out
> there.  These are other PGP front end applications such as Private Idaho,
> PGPShell and others that do NOT include PGP, nor do they contain any
> encryption code within them.  These applications are all billed as "freely
> exportable".  If your software does not contain any encryption code, such
> that it simply "invokes" the users separately-obtained-and-installed copy of
> PGP, you are not in violation of ITAR.  It sounds like this is what you're
> doing with your "hooks for PGP".

I am not a lawyer.

Hooks to encryption code have *sometimes* been considered
"ancillary devices" and as such are in violation of ITAR.

Calling another executable like pgp *might* be less of an
issue than having source code hooks that call crypto library
routines, but maybe not.  (And no I don't understand why
they would be different)

NCSA had something related to this in their use of PEM/PGP
in httpd.  See some info at:  

  http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html

which says:

  Note: As of NCSA HTTPd 1.4.1, support for PEM/PGP encryption
  was removed in order to bring NCSA in compliance with the
  Internation Treaty on Arms Reduction to which the United
  States of America is a signatory. We hope to have an
  improved version available with NCSA HTTPd 1.5 from an
  export controlled server.

In sum, check with a lawyer.

Howard