cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1996-07-10 - Re: MSoft crypto API’s

Header Data

From: jim bell <jimbell@pacifier.com>
To: Mike Ingle <cypherpunks@toad.com
Message Hash: ae7d132da1520fcd0fff24459acd580bfd069a0230d2a65d9918168f93579429
Message ID: <199607101615.JAA01186@mail.pacifier.com>
Reply To: N/A
UTC Datetime: 1996-07-10 21:18:12 UTC
Raw Date: Thu, 11 Jul 1996 05:18:12 +0800

Raw message

From: jim bell <jimbell@pacifier.com>
Date: Thu, 11 Jul 1996 05:18:12 +0800
To: Mike Ingle <cypherpunks@toad.com
Subject: Re: MSoft crypto API's
Message-ID: <199607101615.JAA01186@mail.pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain


At this point, someone will probably claim that the export of a mere 
signature (or the XOR between a sig'd and a non-sig'd file) is, itself, 
prohibited from export under ITAR.  However,  I've pointed out in the past 
that even if that export is illegal, it could be done by an unknown 
"volunteer", possibly using means as innocuous as a paper envelope (with no 
return address?) mailed to a confederate outside the US.  Later, it could be 
mailed back to the (foreign) company who wanted it in the first place.

The foreign company would, of course, NOT be guilty of any export violation, 
because it had no part in the export, and it would just be a beneficiary of 
some (guilty) anonymous prankster's action.  This tactic would not benefit a 
domestic, US manufacturer of crypto software, because it still would have to 
export thousands or even million of copies of that software.

Also, another question occurred to me, today:  Let's suppose a piece of 
software was written which is designed to run on a Microsoft API, IF SIGNED. 
 If it isn't signed, it won't do anything.  Does that mean that it's legal 
to export, since it can't actually do any encryption?  If so, we may have 
the last laugh yet.


At 11:45 PM 7/9/96 -0700, Mike Ingle wrote:
>It's even easier than that. Remember, signatures are detachable from the 
>data. You import the software, MS signs it, you export the signature, and 
>reattach it to the software.
>
>						Mike
>
>> Couldn't somebody IMPORT a piece of encryption software, have it signed by 
>> Microsoft, then take the XOR of the signed and unsigned software and export 
>> it?  (It's not a tool capable of encryption...)
>> 
>> Or:  Microsoft presumably has foreign branches, or at least it could easily 
>> afford to set up one.  What's to stop Microsoft from signing foreign 
>> encryption software outside of the US?  The software is never exported 
>> (since it's already outside the country...), so there's no USA-law involv
>> ement.
>> Jim Bell
>> jimbell@pacifier.com
>> 
>
>
>
>
Jim Bell
jimbell@pacifier.com

Thread