From: jim bell <jimbell@pacifier.com>
Date: Thu, 10 Oct 1996 13:42:41 -0700 (PDT)
To: <cypherpunks@toad.com
Subject: Re: Why not PGP?
Message-ID: <199610102042.NAA10973@mail.pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain


At 11:01 AM 10/10/96 -0600, Rollo Silver wrote:

>I don't intend to submit my present or future private PGP keys for key
>escrow (Is that what's called GAK?). To protect myself against forgetting
>my private key (which has happened once already) I'll no doubt some day put
>it on a floppy and put the floppy in my bank safe deposit box.

You can't "forget your key"; it's encrypted with your password and is on disk.

BTW, if you do put either or both on floppy to take to your bank, encrypt 
the files using PGP's  single-key encrypt capability, using a long and 
highly non-memorizable key. (Use a freshly demagnetized, formatted floppy, 
being careful not to put any non-encrypted files on it, even temporarily.)  
That way, if somebody (police, Feds, etc) break into your deposit box, they 
get NOTHING. 

You still have to "remember" that long, non-memorizable key, although 
something like that can be written on paper and well-hidden and/or split up 
into parts.  It's only value is to decrypt that bank-stored floppy.

>
>Two questions:
>
>1. Does anyone think that legislation might be passed which would
>criminalize my communications with Ray?

The politicians and cops and TLA's would certainly love this, but it doesn't 
look too likely for the next five years or so, at least in America and 
probably not Europe.  However, somebody just posted an item about 
illegalizing "networked computers" in Burma...

If you're worried about this, how about giving PGP to as many friends as 
have computers, to increase its usage?  The more who use it and are aware of 
the political issue behind it, the less likely the politicians are to pull 
the wool over the collective eyes of the public.

>2. Suppose someone writes a program Z that has no expicit crypto code in
>it, but has hooks for installing one or another version of PGP. Given a
>copy of Z, someone in this country could install PGP he got from MIT,
>whereas someone in Europe could install the international version.
>Would export of Z violate ITAR restrictions?


Nobody seems to know for sure, but this has been discussed a number of times 
around here.  I happen to believe that using ITAR to even restrict the 
export of encryption is an abuse.  Attempting to restrict a program which 
can interface with external encryption is even sillier.  (by that standard, 
an operating system interfaces with PGP, which would make MSDOS restricted 
if ITAR were interpreted in this way.)

The really odd thing is that exports of Pentium computers aren't restricted, 
apparently, yet an X86 clone is just as much a tool of encryption as the 
software.  And if you ask a person, "would you rather have a copy of PGP and 
no computer, or a 166 MHz Pentium computer and no copy of PGP?" the answer 
most intelligent people would give is the latter, since getting PGP is easy 
and free.



Jim Bell
jimbell@pacifier.com