From: Moltar Ramone <jlasser@rwd.goucher.edu>
Date: Sat, 1 Jun 1996 02:53:48 +0800
To: Lucky Green <shamrock@netcom.com>
Subject: Re: Java Crypto API questions
In-Reply-To: <v02120d05add3f5807fe4@[192.0.2.1]>
Message-ID: <Pine.SUN.3.91.960531081207.28351B-100000@rwd.goucher.edu>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 30 May 1996, Lucky Green wrote:

> o "Security Packages must be signed. Policy for signing is public and open."
> I assume the packages must be signed by Sun. How much will it cost to have
> a package signed? How do I obtain a copy of this "public and open" policy?
> 
> o "Exportable API. Exportable applications."
> One code example shows performing a DES encryption. Another slide mentions
> "Support for [...] RSA." This is exportable? What am I missing?

My guess would be that the first of these two points answers the second.  
Everything is exportable -- except signed third-party security packages.  
My bet would be that the exportable code would not be more than RC4-40 or 
perhaps 1DES, but that a signed package would go to RC4-128, 3DES, and 
RSA-1024.  However, the signature on that package would be on the 
condition that the vendor/distributor of that package follow all export 
regulations.

This is the way Micro$oft's CAPI is supposed to work; it's got 
commodities jurisdiction approval already, my bet is Sun can get the same.

----------
Jon Lasser (410)532-7138                         - Obscenity  is a crutch  for
jlasser@rwd.goucher.edu                            inarticulate motherfuckers.
http://www.goucher.edu/~jlasser/
Finger for PGP key (1024/EC001E4D)               - Fuck the CDA.