From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sat, 12 Oct 1996 00:53:25 -0700 (PDT)
To: jimbell@pacifier.com
Subject: exporting signatures only/CAPI (was Re: Why not PGP?)
In-Reply-To: <199610111648.JAA20799@mail.pacifier.com>
Message-ID: <199610112013.VAA00503@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain



Jim Bell <jimbell@pacifier.com> writes:
> At 08:49 AM 10/11/96 +0100, Adam Back wrote:
> >  [...].  Microsoft's CAPI arrangement is that they will not
> >  sign non-US CAPI compliant crypto modules (Examples of enforcement of
> >  no-hooks interpretation).
> 
> Does that fix the "export only the signature" problem (for the 
> government)/opportunity (for the rest of us)?   You know, present Microsoft 
> with the software, don't tell them it's already out of the US, and they sign 
> it.  Export the signature only  (who cares if this is legal!) and edit the 
> international software to contain the signature.

Export the lot, signature included :-)

(I doubt exporting only the signature once the story came out would
offer you any more protection legally than exporting the software).

As you say who cares if it's illegal: things get exported all the
time.

The problem however, is finding a non-US site to hold the hot potato
once it has been exported.  For example 128 bit Netscape beta was
exported a while ago.  I don't see it on any non-US sites.  This is
due to Netscape's licensing requirements, you need a license to be a
netscape distribution site, the license doesn't include the right to
mirror non-exportable versions on non-US sites.

If the exported software is `PGP3.0 for CAPI' or whatever, I think it
should be fair to conclude it will be cheerfully mirrored by all, and
Phil Zimmermann won't be complaining.  (PGPfone is on ftp.ox.ac.uk,
plus other places, for example.)  So yes, I agree, for software with
appropriate distribution licenses.

Another approach, which has been discussed lately is the use of a
patch to usurp Microsoft as the signatory for CAPI modules.  I wonder
what Microsoft would say about an unauthorised patch, to fix an ITAR
induced `bug' in windows.  Bill Gates doesn't sound pro-GAK.  If they
aren't going to complain, perhaps such patches could be distributed
widely outside the US also.

The new owner of the CAPI signatory key would need a good reputation,
and presumably a policy of signing any (non-GAKked) CAPI modules
signed by microsoft, and anything else that anyone wants signed.

Adam
--
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)