At 2:29 AM -0800 1/28/98, Adam Back wrote:
The problem is not in the export, which as Tim says happens soon enough anyway, as anyone can verify looking at www.replay.com where a good collection of 128 bit browsers can be obtained.
The problem is netscape's distribution license. I tried to work out ... This leads to the conclusion that the best thing netscape could do is:
- not distribute a 40 bit version in electronic form at all, forcing overseas sites to keep 128 bit versions
How about this as an idea: -- encourage Web servers to reply to 40-bit Navigator or Explorer interactions with a message saying: -- "You have communicated with a very insecure 40-bit....." -- "Click here, ...., to update your browser to 128 bits..." (And the "here" site would be some outside-the-U.S. sites, of course.) This would either patch their browser, or with a plug-in. And if their browser cannot be patched, they are at least alerted and can perhaps upgrade. The idea being to make it very easy for customers who were forced to use the 40-bit version, or who got it by default or screwup, to easily update their browsers to full strength. Netscape should make this as easy as possible. (We have discussed "drop-ins" many times over the years, and the possible ITAR/EAR illegality of providing "hooks" or "drop-ins" for thoughtcrime-strength crypto, but I can't imagine anyone being successfully prosecuted on this.) --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."