From: jim bell <jimbell@pacifier.com>
To: RHS Linux User <cypherpunks@toad.com
Message Hash: 66e06f592218c4be7959da8ee0770d4ee3461d323ec4fc5fec9d941aacf23f98
Message ID: <199606031915.MAA25368@mail.pacifier.com>
Reply To: N/A
UTC Datetime: 1996-06-04 00:48:37 UTC
Raw Date: Tue, 4 Jun 1996 08:48:37 +0800
From: jim bell <jimbell@pacifier.com>
Date: Tue, 4 Jun 1996 08:48:37 +0800
To: RHS Linux User <cypherpunks@toad.com
Subject: Re: Java Crypto API questions
Message-ID: <199606031915.MAA25368@mail.pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain
At 11:20 AM 6/3/96 -0400, RHS Linux User wrote:
>
>
>On Mon, 3 Jun 1996, Jeff Weinstein wrote:
>
>> Andrew Loewenstern wrote:
>> >
>> > Sun can export the signature though. The vendor already has the package,
>> > they just need the sig/cert...
>>
>> Not likely. Sun will probably be required to agree not to do this
>> as a condition of exporting software with "pluggable crypto". Software
>> with hooks for crypto functions is treated the same as the actual crypto
>> as far as the ITAR is concerned.
>
>When Microsoft announced their crypto API, they also announced that their
>signatures on crypto modules would be export-restricted.
That doesn't mean that they are, LEGALLY, export-restricted. Microsoft
can't generally bind third parties to agreements with the government. Even
in circumstances where it might appear that they can enter into an agreement
with a customer, Microsoft is sufficiently big that any terms it forces on
customers are automatically suspect of being oppressive, especially if there
is no valid business reason for a particular restriction. Besides, a
violation of any such agreement is merely a violation of an agreement with
Microsoft, not the USG. It is unlikely Microsoft is going to take
individual customers of their customer to court for violation of some
no-export agreement.
> According to
>e-mail I received from a Microsoft employee on the project, the act of
>signing was considered a "defense service" under ITAR, so exporting the
>signature would somehow be performing defense services for foreign
>persons.
Even if it is arguable that the signing of a piece of software constitutes a
"defense service," that service is performed for somebody, domestically, who
delivers that software to Microsoft. Once that software is signed, the
"defense service" is over and done with. At that point, you merely have an
object, a signature, which cannot encrypt or decrypt data. It is even less
useful than a microprocessor or RAM at facilitating encryption.
It makes slightly less sense to me than the rest of the crypto
>export restrictions do, but I guess that's the deal that Microsoft worked
>out with the Feds in order to be allowed to do a crypto API at all.
I think you've hit the nail on the head: The Feds were well aware that
Microsoft had plenty of money to challenge them in court, and they would
almost certainly have lost. So the Feds gave in on the API issue, and in
exchange Microsoft agreed to publicly state that "the signatures on crypto
modules would be export-restricted." Doesn't make it so.
Jim Bell
jimbell@pacifier.com
Return to June 1996
Return to “jim bell <jimbell@pacifier.com>”
1996-06-04 (Tue, 4 Jun 1996 08:48:37 +0800) - Re: Java Crypto API questions - jim bell <jimbell@pacifier.com>