From: kipp@warp.mcom.com (Kipp E.B. Hickman)
Date: Tue, 17 Jan 95 14:42:53 PST
To: P.vanMossel@telecom.ptt.nl
Subject: Re: 40bit Encryption : Adequate or sadly lacking ?
Message-ID: <9501172240.AA05908@warp.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain



In article <3fh5m0$7tg@hdxu03.telecom.ptt.nl>, you write:
> In article <marca-1201952123120001@boulanger.mcom.com>, marca@mcom.com 
> says...
> >
> >There's no question that 40-bit is less than one would prefer.
> >This is why we are/will be supporting 128-bit RC4, for example,
> >in US-only products, honoring United States government export
> >restrictions.
> 
> Marc, isn't it possible (legally) to deliver products with a replaceble 
> encryption library (dll). Delivery with a 40-bit key DLL. The user has 
> the option to install a dll with a different keysize. Somewhat like 
> winsock...
> 
> Yes, I've seen the article suggesting a foreign office. I think an open 
> interface would do gooed for the whole field. I.e. ftp, telnet, etc. as 
> well.

Actually, it's probably worse than you think:

There are govt's out there that won't let you import code that is
"encryption ready". You must prove that your software is tamper proof
before it can be imported, and tamper proofing means that you can't
bolt on security. Also, I believe the export laws disallow "plug in"
security in the US...

The crypto legal world sucks.