At 09:09 PM 12/2/95 -0800, Ted Cabeen <cabeen@netcom.com> wrote:
I think this has been brought up before, but I could only find one reference to it in the archives and it wasn't too helpful, so I'll ask again. If a university provided a copy of PGP for use on their unix machines and a non-resident, non-citizen *used* the copy of PGP on the server, but did not download it onto their own machine, but instead just ran PGP on the server alone, would it be a violation of the ITAR? My school is interested in putting a copy of PGP on the university server and wants to know if they should somehow restrict access to citizens and legal residents only. Thanks.
That's not giving technical data to the foreigner, that's providing a service; the ITAR doesn't seem to restrict that. It's not an especially secure way to operate, but that's an inherent problem with multi-user systems or file servers. One way to implement it that would be only mildly insecure would be to put PGP on a file server, with execute-only permissions; users of client machines still could be attacked by somebody faking out NFS, but they wouldn't have to send their passphrases across the net the way they would in a telnet session. #-- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281 # Anybody notice that Microsoft's Wide Open Road ad has barbed-wire fences # on both sides of the road?