1996-01-20 - Re: CryptoAPI and export question

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: Tom Johnston <tomj@microsoft.com>
Message Hash: 3bf3e780a10e14cbf2859a5c4f016bee78a132aa617d1aac4de38f9fea432fb2
Message ID: <199601200402.UAA01863@ix6.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1996-01-20 05:07:23 UTC
Raw Date: Sat, 20 Jan 1996 13:07:23 +0800

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sat, 20 Jan 1996 13:07:23 +0800
To: Tom Johnston <tomj@microsoft.com>
Subject: Re: CryptoAPI and export question
Message-ID: <199601200402.UAA01863@ix6.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain

Tom Johnston <tomj@microsoft.com>:
At 06:07 PM 1/17/96 EST, you wrote:
>Two points:  the CSP development kit is export-controlled; and signing a
>CSP developed by a foreign vendor is treated as a export -- so the signature
>is export-controlled.
>We would ship a CSP development kit to a foreign vendor, and sign a CSP
>developed by the foreign vendor, but only with the appropriate export licenses.

Thanks for your reply to Dr. Vulis's question.  I'd recommend examining this
policy somewhat critically, for a couple of reasons:

1) Development kits are useful, but if you've got an open, documented
interface, it's possible to develop code to use it without the kit.
(Ignoring, of course, the risk of smuggling. :-)

2) By "is treated as an export", do you mean by explicit government policy,
or by Microsoft?  Digital signatures and encrypted documents are perfectly
legal to export, as is authentication code to make digital signatures.

3) Consider the case of a contractor who buys the development kit,
and gives you code to sign.  You have no way to differentiate between
code that he developed himself, and code developed by some foreign
company that hired him and gave him the code (which is legal to import
into the US.)  He probably can't legally re-export the code, or export
the signed version of it, but he can export the signature itself,
since that's not cryptographic code, and the foreign company can
reattach it to their original document, which you have now signed....
#				Thanks;  Bill
# Bill Stewart, stewarts@ix.netcom.com, Pager/Voicemail 1-408-787-1281
# "Eternal vigilance is the price of liberty" used to mean us watching
# the government, not the other way around....