Re: Java Crypto API questions

[jim bell <jimbell@pacifier.com>]

At 01:13 PM 6/3/96 -0400, Simon Spero wrote:
>On Mon, 3 Jun 1996, jim bell wrote:
>> 
>> But you haven't explained why somebody can't export JUST the signature.  You 
>> know, import the software, have Sun sign it domestically, strip off everything that isn't a 
>> signature, and export the signature.  Append it to the un-imported code 
>> outside the country.
>
>Ancillary device... It's pretty clear cut.


Sure about that?  Is a microprocessor an "ancillary device"?  A DRAM module? 
 A hard disk?  How about an operating system, which stores and retrieves 
data for an encryption program?  How about a BIOS?  What about a keyboard?  
A video display?  I think that any definition of "ancillary device" which is 
so broad as to include signatures just about has to include any any of these 
things too, but it won't be considered such because the government has 
already lost the battle on hardware exports.

A signature is just that:  A signature.  It doesn't encrypt or decrypt.  It 
doesn't even ALLOW the system it's in to encrypt or decrypt, because there 
are numerous encryption programs written that have no need for such a 
signature.  If no program existed which _used_ that signature, nobody would 
think twice about exporting it.

The fact is, it is LEGAL to import encryption code into the US.  It is LEGAL 
to generate an hash of that code, and it is LEGAL to export that hash.  To 
believe otherwise is to broadly expand the scope of export laws far beyond 
what they were intended to mean.

Jim Bell
jimbell@pacifier.com