From: "P. J. Ponder" <ponder@freenet.tlh.fl.us>
Date: Fri, 6 Sep 1996 02:11:32 +0800
To: cypherpunks@toad.com
Subject: Re: rc2 export limits..
Message-ID: <Pine.OSF.3.91.960905084320.30700A-100000@fn3.freenet.tlh.fl.us>
MIME-Version: 1.0
Content-Type: text/plain



keywords:  ITAR, SHA, beneficial and innocuous crypto

The persistent reputation known as Bill Stewart wrote:

>Date: Wed, 04 Sep 1996 23:09:17 -0700
>From: Bill Stewart <stewarts@ix.netcom.com>
>To: Kent Briggs <72124.3234@compuserve.com>
>Cc: cypherpunks@toad.com
>Subject: Re: rc2 export limits..
>
>I'm afraid my source is "Read it on the net and was surprised to hear it".
>My assumption is that the limit is for software that implements
>both signature and verification, since ITAR doesn't ban export of
>pure-authentication software.

The FIPS Pub (?180? ?181?) for the Secure Hash Algorithm (SHA) states in 
the fine print at the beginning that SHA is export controlled.  I don't 
have the document to refer to right now, but it plainly states that SHA  
falls under ITAR.  As a cryptographic hash function, why would it be 
controlled in this way?

How can I use SHA to encrypt something for someone else to decrypt?  I 
know how to use it for authentication; am I missing something here?

ANFSCD:

I tried that OnNet32 e-mail software from FTP software.  It runs under 
Windows95.  It is a lot of material to download, and way too intrusive to 
install.  It wants to metastasize itself into the innards of Microsoft 
Exchange and Inboxes, etc.  What is it with all this complexity anyway?  
Why not just have a POP client that will check mail on the server?

It also wants you to store your mailbox password in it, as opposed to 
letting you enter it on a session-by-session basis.  I don't like that.

sticking with PINE, PGP, and Xywrite II for now....