[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NOT NOISE] Microsoft Crypto Service Provider API



At 11:18 PM 12/23/96 -0500, Blake Coverett wrote:
>jim bell wrote:
>> Even if, arguably, once-imported software becomes subject to ITAR, it is by 
>> no means clear that a "signature" is in any way controlled by ITAR.  After 
>> all, looked at generously, the "signature" might simply be a plaque or 
paper 
>> certificate, saying "this is wonderful software!"
>
>The signature in question (on a Win32 Crypto Service Provider) is embedded
>in the executable.  Certainly I could rip it out and inject it into an 
unsigned
>but otherwise identical copy outside the U.S., but that is obviously not
>going to be legal under ITAR.

Who says "that is obviously not going to be legal under ITAR"?  Personal 
computers themselves are devices which can do encryption, given appropriate 
software, and yet export of such devices goes on every day.  Operating 
systems are capable of calling programs like PGP, and yet they are exported 
every day.

(This is by no means a trivial issue.  If I were to ask you, "Would you 
rather somebody give you a $1000 computer and FAIL to give you a copy of 
good encryption software (which is also available, free, on the 'net), or 
give you the software and FAIL to give you the $1000 computer, I think most 
people would happily choose the former, knowing that they can easily remedy 
the former's drawbacks.)

Remember, the only reason "signatures" have any significance is if 
somebody else writes a program which looks for that signature before 
deciding whether to run a program.  If the "signature" involved simply says 
"Hi there!" (or is sufficiently short as to be easily reverse-engineerable), 
presumably the fault lies with somebody else, NOT the person who just 
happens to export 128 bits of value suspiciously identical to a value 
appended to a domestic copy of the program.


>ITAR is wrong and should be abolished, but that sort of weasling isn't 
>going to make something legal under the current laws.

It isn't necessary to "make something legal."  Ostensibly, under our legal 
system, activities are legal unless there is a law to make them illegal.  
(some would include regulations in this... I don't believe that 
constitutionally, "regulations" are enforceable against non-government 
people or corporations.)  I believe we should fight to decrease the envelope 
of what the government tries to force us/keep us from doing.

If I had proposed, 10 years ago, that programs be signed (whether or not 
they had anything to do with crypto), that would have been legally 
irrelevant under ITAR.  I argue that the fact that a program exists, 
somewhere out there, that looks at the signature before running a program, 
that cannot per se make the signature non-exportable.  (Otherwise, if NO 
program existed with those characteristics of being able to run that 
software, presumably that software could be exported freely because it was 
totally non-functional.)

If anything, if the government doesn't want crypto to leave the US, that's 
their row to hoe and they're gonna fail.  Giving ANYONE authority to export 
a program (or OS, or computer) simply because it first checks a signature, 
should not be interpreted as to put the onus on everyone else to ensure that the 
signatures are "legal."

Otherwise, it could have been just as effectively argued that once PGP 1.0 
had been written, any PC-clone ever built automatically because a device 
potentially capable of encryption, and thus the government would (arguably) 
be entitled to prohibit its export.  Since the US government hasn't insisted 
that every computer being exported since 1991 be incapable of running good 
crypto (example: PGP) presumably that is a valid precedent that merely 
enabling good crypto does not constitute some sort of automatic ban.  A 
signature enables crypto no more than a CPU or operating system does.

I say all this, not because I believe the government CAN'T do this, or WON'T 
do this, but because there is no precedent (that I know of) restricting the 
export of small pieces of data.  They aren't crypto programs, or anywhere 
close.  The only nexus of restriction is presumably crypto programs, and 
signatures aren't that!






Jim Bell
[email protected]