From: jimbell@pacifier.com (jim bell)
Date: Wed, 6 Dec 95 00:25:26 PST
To: cypherpunks@toad.com
Subject: Re: Solution for US/Foreign Software?
Message-ID: <m0tNEsF-00090XC@pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain



>>1.  Write a program with limited encryption (40 bit?), with the encryption
>>module in a file external to the  main program.
>>2.  Get export approval for this program.
>>3.  Write a module which replaces the encryption file, increasing key size
>>to whatever you REALLY wanted in the first place.  (128-bit IDEA, 2000-bit
>>PGP, etc.)
>>4.  Ship that new module with the old software to US customers.
>>Naturally, that new module will "leak," so anybody who buys the old
>>program out of the country can convert to a fully-functional version by
>>downloading it from a foreign bbs that just happens to have it.  The
>>module can be encrypted/signed by the manufacturer so everyone can be sure
>>of its identity and genuineness.
>>
>>
>>Better than nothing, I suppose.
>
>"Crypto hooks," basically the scheme you are proposing, were thought of by
>the authorities and are not a bypass of the crypto export laws.
>--Tim May


I'm not saying they are a "bypass" of the laws.  Rather, I'm saying that if the goal is to:

1.  Let companies like Netscape make foreign sales.

2.  Still comply with the letter of the law.


Then this would be an excellent way to achieve both those goals.  (I accept as axiomatic that if the only exportable encryption is GAKked, they're not going to be viewed seriously as a product.  A way around GAK would actually increase their profits.)

BTW, the fact that they might be "thought of" by the authorities is not going to be enough to stop them.  If the USG claims that it WILL approve GAK-ified software, it is unclear how they will decide if a given program qualifies.  Since every program of length "N" is only an XOR away from every OTHER program of length "N", modifying or disabling this software is always possible.  Remember, the reason (or, at least, one of them!) they put Clipper into a physical chip as opposed to releasing the algorithm was to prevent modifications that would subvert the algorithm.  Their decision to allow software key-escrow presumably forces them to accept certain possibilities they otherwise wanted to avoid.

If the USG tries to take the position that "any program which can be modified into another program that gets around GAK is prohibited from export," then they're going to have to stop allowing the export of pre-formatted floppy disks because they're likewise an XOR away from PGP.

So we're back to square one:  Does the USG intend to allow ANY programs to be exported?