From: geeman@best.com
Date: Sun, 22 Dec 1996 23:09:44 -0800 (PST)
To: jim bell <cypherpunks@toad.com
Subject: Re: [NOT NOISE] Microsoft Crypto Service Provider API
Message-ID: <3.0.32.19961222232041.0069e518@best.com>
MIME-Version: 1.0
Content-Type: text/plain



Software that is imported becomes subject to ITAR with respect to
re-exportation, of course (but of course IANALetc.)  

If you can't demonstrate to MSFT that you are
playing by the rules --such that you have the proper export papers
for your code if you plan to export it, for example-- they won't sign,
even if developed outside US.

So: you develop a CSP outside US ... you have to IMPORT it to get it signed.
It becomes subject at that point to ITAR export regs.  Unless you demonstrate
that you fulfull those requirements, no signature.  So there's no relief by
looking at just exporting the signature.

?


At 07:21 PM 12/22/96 -0800, you wrote:
>At 07:36 AM 12/18/96 -0800, geeman@best.com wrote:
>>
>>Microsoft had to agree to validate crypto binaries against
>>a signature to make sure they weren't tampered with, in 
>>exchange for shipping crypto-with-a-hole.  They will
>>sign anything (theoretically) if it has the export
>>papers and all.  Or without, if you affadavit it is not
>>for export.
>>
>>They do not themselves impose any restrictions on crypto
>>strength.
>>I'm not expressing political position here, just conveying facts ....
>
>What if the software involved was IMPORTED?  Moreover, is legal to export 
>just the signature?
>
>Jim Bell
>jimbell@pacifier.com
>
>