From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 31 Oct 95 19:22:00 PST
To: black@suntan.eng.usf.edu
Subject: Re: PGP at Universities
Message-ID: <199511010321.TAA15856@ix8.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 04:37 PM 10/30/95 -0600, James Black black@suntan.eng.usf.edu wrote:
>>I am talking with one of the 
>>administration people about putting PGP on the system for everyone to 
>>use, but there are issues for them (the admin) as they might be liable, 
>>even if they can't read the e-mail.  What other legal considerations 
>>should be evaluated?
>>  Is there any large organizations (like any other universities) that 
>>allow their students to use PGP, and have the system in place to make it 
>>easier for the students?  If it is offered here I might be the one to add 
>>to the mail program (pine) that is generally used to transparently use 
>>PGP, which is what I mean by having a system set up for the encryption. 

Well, one obvious example is MIT, which not only makes PGP available to
its students, it makes it available to everyone else in the US,
though ostensibly not everyone else in the world.  Your University isn't
required to be reading students' and employees' private email anyway,
(though it can get away with it by announcing it as official policy),
so not being able to read it because of PGP is just fine - if anything it
may reduce their legal liability by offering students the option of having
truly private email, where sysadmins won't even be able to read bouncemail
or other fragments of messages left around when mailers break.

On the other hand, I'm guessing that usf.edu is in the USA?  If so, 
there may be ITAR considerations - are any of your students non-US citizens
without Green Cards?  Offensive as it sounds, it may not be legal to let
them use a copy of PGP that you provide (though it's perfectly legal for
them to import copies from the UK for their own use.)  There _are_ privacy-
protecting programs you can let them use, such as the next edition of Netscape,
which has 40-bit RC4, and you can use digital signatures from packages like
RIPEM-SIG, which is a signature-only subset of RIPEM that's approved for export.
Since Netscape 2 will be using X.509 certifications, which RIPEM uses,
you or your students can do things like building good friendly user interfaces
to the current character-menu certification chains that RIPEM provides
(somewhat like PGP's Web of Trust, but a bit clumsier for now.)
#---
#                                       Thanks;  Bill
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---