From: azur@netcom.com (Steve Schear)
Date: Sat, 12 Oct 1996 09:07:50 -0700 (PDT)
To: Adam Back <aba@dcs.ex.ac.uk>
Subject: Re: exporting signatures only/CAPI (was Re: Why not PGP?)
Message-ID: <v02130502ae850fb9a80c@[10.0.2.15]>
MIME-Version: 1.0
Content-Type: text/plain


>Jim Bell <jimbell@pacifier.com> writes:
>> At 08:49 AM 10/11/96 +0100, Adam Back wrote:
>> >  [...].  Microsoft's CAPI arrangement is that they will not
>> >  sign non-US CAPI compliant crypto modules (Examples of enforcement of
>> >  no-hooks interpretation).
>>
>> Does that fix the "export only the signature" problem (for the
>> government)/opportunity (for the rest of us)?   You know, present Microsoft
>> with the software, don't tell them it's already out of the US, and they sign
>> it.  Export the signature only  (who cares if this is legal!) and edit the
>> international software to contain the signature.
>
>Export the lot, signature included :-)
>
>(I doubt exporting only the signature once the story came out would
>offer you any more protection legally than exporting the software).
>
>As you say who cares if it's illegal: things get exported all the
>time.
>
>The problem however, is finding a non-US site to hold the hot potato
>once it has been exported.  For example 128 bit Netscape beta was
>exported a while ago.  I don't see it on any non-US sites.  This is
>due to Netscape's licensing requirements, you need a license to be a
>netscape distribution site, the license doesn't include the right to
>mirror non-exportable versions on non-US sites.
>

That's one good application for remailers, and .warez newsgroups. at.

>If the exported software is `PGP3.0 for CAPI' or whatever, I think it
>should be fair to conclude it will be cheerfully mirrored by all, and
>Phil Zimmermann won't be complaining.  (PGPfone is on ftp.ox.ac.uk,
>plus other places, for example.)  So yes, I agree, for software with
>appropriate distribution licenses.
>
>Another approach, which has been discussed lately is the use of a
>patch to usurp Microsoft as the signatory for CAPI modules.  I wonder
>what Microsoft would say about an unauthorised patch, to fix an ITAR
>induced `bug' in windows.  Bill Gates doesn't sound pro-GAK.  If they
>aren't going to complain, perhaps such patches could be distributed
>widely outside the US also.
>
>The new owner of the CAPI signatory key would need a good reputation,
>and presumably a policy of signing any (non-GAKked) CAPI modules
>signed by microsoft, and anything else that anyone wants signed.
>

An excellent suggestion.