1996-10-11 - Re: Why not PGP?

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: frantz@netcom.com
Message Hash: 06e466cf5300116de54e146186352e921e862b1e5f6f64074acaecea2a59df34
Message ID: <199610110749.IAA00291@server.test.net>
Reply To: <199610101930.MAA18867@netcom8.netcom.com>
UTC Datetime: 1996-10-11 13:00:53 UTC
Raw Date: Fri, 11 Oct 1996 06:00:53 -0700 (PDT)

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Fri, 11 Oct 1996 06:00:53 -0700 (PDT)
To: frantz@netcom.com
Subject: Re: Why not PGP?
In-Reply-To: <199610101930.MAA18867@netcom8.netcom.com>
Message-ID: <199610110749.IAA00291@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain



Bill Frantz <frantz@netcom.com> writes:
> >2. Suppose someone writes a program Z that has no expicit crypto code in
> >it, but has hooks for installing one or another version of PGP. Given a
> >copy of Z, someone in this country could install PGP he got from MIT,
> >whereas someone in Europe could install the international version.
> >Would export of Z violate ITAR restrictions?
> 
> Yes

I agree.  However let me elaborate for Rollo: with ITAR there are at
least three aspects:

- what ITAR says

  It says for instance that you can not _talk_ to a foreign national in
  the US about crypto, that you can not show them books, that you can
  not export books etc.  We know this is not enforced (they tried it a
  few times and gave up).  We know books are allowed to be exported,
  examples: Bruce Schneier's Applied Crypto (crypto source code, never
  mind technical descriptions, which ITAR says are illegal to export
  or disclose to foreigners "Disclosing (including oral or visual
  disclosure)" Phil Zimmermann/MIT's PGP source code and internals
  book, the full source code to PGP itself in an OCR font) They don't
  enforce books or discussions anymore because of the clear 1st
  ammendment case against this behaviour.

- and what the NSA, and US government care to interpret ITAR as
  meaning today (they change to suit the case at hand, keeping their
  interpretation purposefully vague)

- what they care to enforce

  NCSA Mosaic had a PGP signature checking hook, they were told to
  take it out.  Microsoft's CAPI arrangement is that they will not
  sign non-US CAPI compliant crypto modules (Examples of enforcement of
  no-hooks interpretation).

  emacs mailcrypt is exported form the US (Emacs RMAIL/GNUS interface
  to PGP - just plug in pgp263i or mit pgp262, an example of
  non-enforcement of no-hooks interpretation)

Adam
--
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)





Thread