On Tue, 1 Oct 1996, Timothy C. May wrote:
Any other ideas on how the government plans to enforce GAK, to make GAK the overwhelmingly-preferred solution?
I am not certain that the USG has to make interoperable software illegal. It simply can withhold export licenses for products that allow such interoperability. That might go a long way to incentivizing industry to cooperate. But I would not at all be surprised if they took stronger measures.
If the evil Clinton administration has not made GAK illegal, it is simply because it does not think it has the votes in congress right now to get such legislation passed. It is probably hoping that some outrage ( perhaps engineered ) will change this. Thus, we have a race between those who want to get strong unescrowed crypto so entrenched that it can not be changed and the Clinton administration which is waiting for a change in legislative climate. The Clinton administration hopes to use ITAR's market pressure to slow things down long enough for victory. But how is ITAR to be enforced, in the absence of a new law? As has been pointed out on this list, the inevitability of software privacy and sub-licensing provides a loophole that would allow US companies to evade the ITAR as a _LEGAL_ inhibition. The big companies have smart lawyers, so why is not this loophole being used to evade the ITAR? The obvious answer is that extra-legal pressure can be brought to bear on a big company. Things like threats of IRS audits and other harassment, probably act as the big breaks. Probably such pressure in combination with foreign governments has prevented big foreign companies to withhold strong crypo as well. So, if big companies are subject to governmental pressure, why would we want their crypto? Most big companies do not release their source-code with their crypto products. The big companies could have been presured, ITAR or no, to put crypto holes in their products. Big companies simply are not trustable for purposes of crypto. Bear in mind that a sabotaged crypto product can be made to inter-operate with a strong crypto product, by simply having the sabotaged crypto product always choose its keys from a covertly restricted keyspace! Thus an product made to a open strong-crypto standard does not address the trust problem. Cypherpunks should not be asking big companies to write crypto products, but rather should be asking for crypto-with-a-hole. This would allow us to check the software for cracks and PGP or something like it could become the world crypto standard. Perhaps if the hole were made general enough, it could also be used to evade the ITAR. A software product could support generalized filtering with other uses besides crypto. After all, they have not embargoed C compilers and compilers can be used to implement crypto. (I do not know, I am not a lawyer.) Any how, conclusion is that cypherpunks should not be asking big companies to implement crypto, but rather look for easy ways users can implement crypto "on top of" commercial software products. Therefore we should boycott and disparage any commercial products that voluntarily implement GAK. -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott@hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063