[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [NOT NOISE] Microsoft Crypto Service Provider API
At 11:18 PM 12/23/96 -0500, Blake Coverett wrote:
>jim bell wrote:
>> Even if, arguably, once-imported software becomes subject to ITAR, it is by
>> no means clear that a "signature" is in any way controlled by ITAR. After
>> all, looked at generously, the "signature" might simply be a plaque or
paper
>> certificate, saying "this is wonderful software!"
>
>The signature in question (on a Win32 Crypto Service Provider) is embedded
>in the executable. Certainly I could rip it out and inject it into an
unsigned
>but otherwise identical copy outside the U.S., but that is obviously not
>going to be legal under ITAR.
Who says "that is obviously not going to be legal under ITAR"? Personal
computers themselves are devices which can do encryption, given appropriate
software, and yet export of such devices goes on every day. Operating
systems are capable of calling programs like PGP, and yet they are exported
every day.
(This is by no means a trivial issue. If I were to ask you, "Would you
rather somebody give you a $1000 computer and FAIL to give you a copy of
good encryption software (which is also available, free, on the 'net), or
give you the software and FAIL to give you the $1000 computer, I think most
people would happily choose the former, knowing that they can easily remedy
the former's drawbacks.)
Remember, the only reason "signatures" have any significance is if
somebody else writes a program which looks for that signature before
deciding whether to run a program. If the "signature" involved simply says
"Hi there!" (or is sufficiently short as to be easily reverse-engineerable),
presumably the fault lies with somebody else, NOT the person who just
happens to export 128 bits of value suspiciously identical to a value
appended to a domestic copy of the program.
>ITAR is wrong and should be abolished, but that sort of weasling isn't
>going to make something legal under the current laws.
It isn't necessary to "make something legal." Ostensibly, under our legal
system, activities are legal unless there is a law to make them illegal.
(some would include regulations in this... I don't believe that
constitutionally, "regulations" are enforceable against non-government
people or corporations.) I believe we should fight to decrease the envelope
of what the government tries to force us/keep us from doing.
If I had proposed, 10 years ago, that programs be signed (whether or not
they had anything to do with crypto), that would have been legally
irrelevant under ITAR. I argue that the fact that a program exists,
somewhere out there, that looks at the signature before running a program,
that cannot per se make the signature non-exportable. (Otherwise, if NO
program existed with those characteristics of being able to run that
software, presumably that software could be exported freely because it was
totally non-functional.)
If anything, if the government doesn't want crypto to leave the US, that's
their row to hoe and they're gonna fail. Giving ANYONE authority to export
a program (or OS, or computer) simply because it first checks a signature,
should not be interpreted as to put the onus on everyone else to ensure that the
signatures are "legal."
Otherwise, it could have been just as effectively argued that once PGP 1.0
had been written, any PC-clone ever built automatically because a device
potentially capable of encryption, and thus the government would (arguably)
be entitled to prohibit its export. Since the US government hasn't insisted
that every computer being exported since 1991 be incapable of running good
crypto (example: PGP) presumably that is a valid precedent that merely
enabling good crypto does not constitute some sort of automatic ban. A
signature enables crypto no more than a CPU or operating system does.
I say all this, not because I believe the government CAN'T do this, or WON'T
do this, but because there is no precedent (that I know of) restricting the
export of small pieces of data. They aren't crypto programs, or anywhere
close. The only nexus of restriction is presumably crypto programs, and
signatures aren't that!
Jim Bell
[email protected]