cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1996-12-12 - Re: New export controls to include code signing applications

Header Data

From: Lucky Green <shamrock@netcom.com>
To: Adam Shostack <adam@homeport.org>
Message Hash: 6724fdd2f9170a35f2d90ffb75bc9d1b90d9a9393d6c28080e6d79ebd9b1d69b
Message ID: <3.0.32.19961211203037.006a4e58@netcom14.netcom.com>
Reply To: N/A
UTC Datetime: 1996-12-12 04:31:09 UTC
Raw Date: Wed, 11 Dec 1996 20:31:09 -0800 (PST)

Raw message

From: Lucky Green <shamrock@netcom.com>
Date: Wed, 11 Dec 1996 20:31:09 -0800 (PST)
To: Adam Shostack <adam@homeport.org>
Subject: Re: New export controls to include code signing applications
Message-ID: <3.0.32.19961211203037.006a4e58@netcom14.netcom.com>
MIME-Version: 1.0
Content-Type: text/enriched

At 10:18 PM 12/11/96 -0500, Adam Shostack wrote:
>These are important, and damaging changes to the regulations.  My
>thanks to Lucky for pointing them out.
>
>Previously, authentication technologies, signatures and integrity
>checkers had specific exemptions.

It seems that signature checking software is still exempt. What will be prohibited is signature generating software that generates signatures for signed code if such code performs crypto. Writing such signing software abroad is trivial, as long as you have the private key. So far keys have been exempt from export controls. It will be interesting to find out if the new prohibition will be construed to extend to keying material.

>I suggest those journalists who lurk here call companies like Digital
>Pathways, McAffee, Symantec, and see if they are aware of these
>proposed changes.  

In a way the new prohibition on exports of software that protects against malicious computer damage is even more far ranging. 

To quote again from the new list of enumerated items subject to export controls: "c.3. "Software" designed or modified to protect against malicious computer damage, e.g., viruses;"

That includes every firewall product, every virus checker, every data security product, and this regardless if the product uses crypto or not. The new regulations go way beyond controlling crypto. The USG, in a massive power grip, has put data security as a whole on the export control list.

One likely explanation for this unprecedented move is the USG's desire to gain further leverage with US software companies. If they don't include GAK, they not only won't export their crypto software, they won't export their other security related products either. Which may mean for some companies that they won't export anything at all. That would be a mighty big stick.




-- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred
Make your mark in the history of mathematics. Use the spare cycles of
your PC/PPC/UNIX box to help find a new prime.
http://ourworld.compuserve.com/homepages/justforfun/prime.htm

Thread