jim bell wrote:
Even if, arguably, once-imported software becomes subject to ITAR, it is by no means clear that a "signature" is in any way controlled by ITAR. After all, looked at generously, the "signature" might simply be a plaque or paper certificate, saying "this is wonderful software!"
The signature in question (on a Win32 Crypto Service Provider) is embedded in the executable. Certainly I could rip it out and inject it into an unsigned but otherwise identical copy outside the U.S., but that is obviously not going to be legal under ITAR. ITAR is wrong and should be abolished, but that sort of weasling isn't going to make something legal under the current laws. --- More interesting would be the OS patch that allows an unsigned (or signed by someone other than MS) CSP to be loaded... Hmm, logically the patch must be built in and only need to be switched on as it would be too annoying to debug a CSP if you needed to get it signed every time you built a new version. Microsoft's Authenticode system had such a patch at one time for just that purpose, and all it required was a registry setting. regards, -Blake (off to grep around inside some binaries)