[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

how to ensure 128 bit netscape is used world wide (Re: Exporting Code the Easy Way)

Tim May <[email protected]> writes:
> At 9:44 PM -0800 1/27/98, Alan Olsen wrote:
> >At 07:26 PM 1/26/98 -0800, Tom Weinstein wrote:
> >
> >>Don't hold your breath.  We're still bound by US export regulations, so
> >>we won't be able to export crypto-relevant source code.  We'll release what
> >>we can, but you probably won't be satisfied.
> >>
> >>Of course, there's always the option for some enterprising individuals
> >>outside the US to replace the missing pieces.
> >
> >Or you could just publish the source code in a big book...  ]:>
> Or even easier option:
> Dispense with the actual scanning and OCRing and simply _say_ the code was
> OCRed. Or, for that matter, don't even bother to say. U.S. Customs and the
> ITARs/EARs have no provisions for asking international users if the version
> they are using was compiled from source code printed in books!
> Why do things the hard way?

Agree strongly.

The problem is not in the export, which as Tim says happens soon
enough anyway, as anyone can verify looking at www.replay.com where a
good collection of 128 bit browsers can be obtained.

The problem is netscape's distribution license.  I tried to work out
why netscape is only carried at certain sites, and why all of the
sites which do carry it carry 40 bit.  The answer seems to be that
even though the netscape browser is free for academic use, that
netscape tries to control distribution by requiring distributing sites
to sign their distribution license.

Netscape's motive for this restrictive distribution license I presume
is an attempt to reduce risk of hacked copies (say with virususes
embedded) being distributed.  By keeping the number of sites
controlled (albeit by weak legal mechanism) they keep the sites to a
small number of large reputable ftp sites.

This leads to the conclusion that the best thing netscape could do is:

- not distribute a 40 bit version in electronic form at all, forcing
  overseas sites to keep 128 bit versions

- have shrink wrap 40 bit versions sold overseas if they must, but
  have strict license prohibiting electronic distribution

- modify the distribution license to allow free distribution of the
  128 bit version (none of this distributors must sign a license)

- ensure that the license on the purchased 40 bit version allows one
  to use the freely obtained 128 bit version in a commercial setting

Problem solved.  No need to fiddle around with printing source code in
books, or to waste time remove crypto calls and hooks from source
code, nor waste some one elses time recoding the omitted code.

So, how about it netscape?

Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\[email protected]{$/=$z;[(pop,pop,unpack"H*",<>