From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 20 May 1997 00:57:20 +0800
To: "Yoav Yerushalmi" <yoav@MIT.EDU>
Subject: Re: Distributing cryptographic code
In-Reply-To: <199705191420.IAA22020@teal.csn.net>
Message-ID: <3.0.1.32.19970519090410.00646430@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


>>   We would like to put this code up for distribution (within the US
>> of course), but don't actually know what is a 'reasonable' amount of
>> protection that one need apply to prevent people from exporting
>> it to the rest of the world.

The current MIT PGP software distribution has apparently had some
discussion with the Feds.

MPJ>The technical solution that I have come up with is (1) have a web form
MPJ> that asks 3 questions*, with the questions defaulting to "no"

The questions that get asked can be phrased in a lot of different ways;
as an anarchist I think that pgp.com's is a lot more friendly than some.
A few places go to the extremes of "Are you a Subject of the US Gov't?
Do you agree to be bound by every provision of the US Export laws,
written or unwritten, and not even CONSIDER giving this code to anyone
who might be a Furriner?  Sign in blood here!", while others are more like
"Have you heard that the US export laws say <blah blah blah>?
Do you state that it's ok for you to have the code, and that
it's Not Our Fault?"

MPJ> If all 3 answers are "yes", and if the email address given is in a  
MPJ> domain that might be in the USA (.com, .gov, .org, .us, .mil, .net, 

Of course, .com, .net, and .org are non-nationally-based domains,
and even email servers physically located in the US often have
users located outside US territory.  CompuServe is a prime example,
with users all over the world.  Some US-only-code-distribution sites
try to keep track of which sites are in the US, at least for .net.
Since the MIT code distribution site has been allowed to operate
in spite of this, the attitude of the Export Cops appears to be a
"Yes, we know it's bogus and unenforceable, but we need to at least
maintain the pretense that we're enforcing it, so don't ask
for too much technical clarification or we'll have to say No."

[* Mime-Attachment: x-audio
   Audio-Parameter-Setting: Don-Hopkins-Imitating-Monty-Python
	"WHAT is your name?
	WHAT is your favorite color?
	HOW FAR can a migrating swallow fly while carrying a coconut?"
		"Er, is that a European swallow, or an African swallow?"
	

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)