From: Bill Stewart <stewarts@ix.netcom.com>
Date: Thu, 5 Sep 1996 16:32:47 +0800
To: Kent Briggs <72124.3234@compuserve.com>
Subject: Re: rc2 export limits..
Message-ID: <199609050609.XAA17556@dfw-ix8.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


I'm afraid my source is "Read it on the net and was surprised to hear it".
My assumption is that the limit is for software that implements
both signature and verification, since ITAR doesn't ban export of
pure-authentication software.

Is the State Dept doc on the net?  It would be nice to have something
saying there are well-defined rules that they agree to follow,
unreasonable and unconstitutional though they may be.

At 12:06 PM 9/4/96 -0400, Kent Briggs <72124.3234@compuserve.com> wrote:
>stewarts@ix.netcom.com wrote:
>> However, the usual guidelines for systems like RC2 and RC4 is
>> 40-bit keys, and RSA keys up to 512 bits for encrypting
>> session keys and 1024 bits for signatures
>
>Can you list a source for the 1024-bit signature restriction?  I know
>about the 40-bit RC2/RC4 and 512-bit public encryption keys because they
>are specifically addressed in the State Dept's "Procedure for Submitting
>a Commodity Jurisdiction Request for a Mass Market Software Product that
>Contains Encryption".  However, digital signatures are not mentioned in
>this procedure.  I can't image what justificication could be used to
>restrict the strength of digital signatures.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# <A HREF="http://idiom.com/~wcs"> 	
# You can get PGP software outside the US at ftp.ox.ac.uk/pub/crypto