From: Michael Paul Johnson <mikej2@exabyte.com>
To: Jon Orwant <orwant@media.mit.edu>
Message Hash: 91ad4532dbfd8211bc9368d4180600023804d5194a1267105c686188603a0db3
Message ID: <199701211511.HAA07045@toad.com>
Reply To: N/A
UTC Datetime: 1997-01-21 15:11:42 UTC
Raw Date: Tue, 21 Jan 1997 07:11:42 -0800 (PST)
From: Michael Paul Johnson <mikej2@exabyte.com>
Date: Tue, 21 Jan 1997 07:11:42 -0800 (PST)
To: Jon Orwant <orwant@media.mit.edu>
Subject: Re: Disseminating public-key crypto source code
Message-ID: <199701211511.HAA07045@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
On Mon, 20 Jan 1997, Jon Orwant wrote:
> I've written a few Perl routines for public-key cryptography. I'd
> like to freely disseminate the source code (starting with ElGamal) to
> as many people as I can,
>
> It's my understanding that there are two orthogonal restrictions:
>
> 1) ITAResque: I can't give code to non-U.S. citizens.
> 2) PKPesque: Using public-key crypto is an infringement,
> although disseminating/possessing the source
> code is not.
>
> While I'm sure these are oversimplifications, it would seem that I can
> release my source code over the Internet provided I install a simple
> verification mechanism (cf. MIT's PGP distribution) to ensure that
> only people claiming to be U.S. citizens have access privileges.
>
> Am I correct? If so, why aren't more people doing this?
Point 2 is the easier one -- you can research, create, and distribute
patented algorithms for free. It is just in using or selling them that you
need to get a license from the patent holder (directly or indirectly).
Point 1 is a bit muddier, but the new EAR (which replace the ITAR)
actually defines what you need to do to freely distribute cryptographic
software in North America, essentially describing something like MIT's PGP
distribution system and my system at
http://www.sni.net/~mpj/usa/warning.htm (at least as far as is practical):
____
(ii) The export of encryption source code and object code software
controlled for EI reasons under ECCN 5D002 on the Commerce Control List
(see Supplement No. 1 to part 774 of the EAR) includes downloading, or
causing the downloading of, such software to locations (including
electronic bulletin boards, Internet file transfer protocol, and World
Wide Web sites) outside the U.S., or making such software available for
transfer outside the United States, over wire, cable, radio,
electromagnetic, photooptical, photoelectric or other comparable
communications facilities accessible to persons outside the United States,
including transfers from electronic bulletin boards, Internet file
transfer protocol and World Wide Web sites, unless the person making the
software available takes precautions adequate to prevent unauthorized
transfer of such code outside the United States. Such precautions shall
include:
(A) Ensuring that the facility from which the software is available
controls the access to and transfers of such software through such
measures as:
(1) The access control system, either through automated means or
human intervention, checks the address of every system requesting or
receiving a transfer and verifies that such systems are located within the
United States;
(2) The access control system, provides every requesting or
receiving party with notice that the transfer includes or would include
cryptographic software subject to export controls under the Export
Administration Act, and that anyone receiving such a transfer cannot
export the software without a license; and
(3) Every party requesting or receiving a transfer of such software
must acknowledge affirmatively that he or she understands that the
cryptographic software is subject to export controls under the Export
Administration Act and that anyone receiving the transfer cannot export
the software without a license; or
(B) Taking other precautions, approved in writing by the Bureau of
Export Administration, to prevent transfer of such software outside the
U.S. without a license.
____
Point (1) above is done at my site, to something of an approximation, by
using a .htaccess file. I'm working on improving this, some, due to some
server problems, but I think that it is close enough to meet the "such
measures as" criteria, especially since (2) and (3) are met pretty
literally by the mechanism that routinely breaks links that attempt to
bypass the warning page. Of course, this isn't perfect, and no coderpunk
worth his salt would have difficulty bypassing the system if he or she
were inclined to break the law, but it does allow me to post strong
cryptographic software without worrying about breaking the law.
Why don't more people do this? Probably because the law has usually been
even more muddy than the above, and at least as irrational, and because it
is more of a pain than just posting the stuff, which few people want to
flaunt their disregard for the law so publicly.
There is another, better way, to comply with the above using CGI
scripting, but my ISP is reluctant to let me do so, so far.
By the way, there is no automated way to add files to my crypto site,
but if you are interested in posting quality crypto software, libraries,
and documentation (like maybe some DES challenge code or RC5 cracker
code), please email me at mpj@csn.net.
Michael Paul Johnson Opinions herein are not necessarily Exabyte's.
Work: mpj@exabyte.com http://www.exabyte.com
Personal: mpj@csn.net http://www.csn.net/~mpj BBS 303-772-1062
Return to January 1997
Return to “Michael Paul Johnson <mikej2@exabyte.com>”
1997-01-21 (Tue, 21 Jan 1997 07:11:42 -0800 (PST)) - Re: Disseminating public-key crypto source code - Michael Paul Johnson <mikej2@exabyte.com>