[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New export controls to include code signing applications

To: Adam Shostack <[email protected]>
Subject: Re: New export controls to include code signing applications
From: Lucky Green <[email protected]>
Date: Wed, 11 Dec 1996 20:31:51 -0800
Cc: [email protected]
Sender: [email protected]

At 10:18 PM 12/11/96 -0500, Adam Shostack wrote:
>These are important, and damaging changes to the regulations. My
>thanks to Lucky for pointing them out.
>
>Previously, authentication technologies, signatures and integrity
>checkers had specific exemptions.

It seems that signature checking software is still exempt. What will be prohibited is signature generating software that generates signatures for signed code if such code performs crypto. Writing such signing software abroad is trivial, as long as you have the private key. So far keys have been exempt from export controls. It will be interesting to find out if the new prohibition will be construed to extend to keying material.

>I suggest those journalists who lurk here call companies like Digital
>Pathways, McAffee, Symantec, and see if they are aware of these
>proposed changes.

In a way the new prohibition on exports of software that protects against malicious computer damage is even more far ranging.

To quote again from the new list of enumerated items subject to export controls: "c.3. "Software" designed or modified to protect against malicious computer damage, e.g., viruses;"

That includes every firewall product, every virus checker, every data security product, and this regardless if the product uses crypto or not. The new regulations go way beyond controlling crypto. The USG, in a massive power grip, has put data security as a whole on the export control list.

One likely explanation for this unprecedented move is the USG's desire to gain further leverage with US software companies. If they don't include GAK, they not only won't export their crypto software, they won't export their other security related products either. Which may mean for some companies that they won't export anything at all. That would be a mighty big stick.

-- Lucky Green <mailto:[email protected]> PGP encrypted mail preferred
Make your mark in the history of mathematics. Use the spare cycles of
your PC/PPC/UNIX box to help find a new prime.
http://ourworld.compuserve.com/homepages/justforfun/prime.htm

Prev by Date: Re: Redlining
Next by Date: Re: Silly me ...
Prev by thread: Re: New export controls to include code signing applications
Next by thread: Re: New export controls to include code signing applications
Index(es):
- Date
- Thread