jim bell wrote:
Even if, arguably, once-imported software becomes subject to ITAR, it is by no means clear that a "signature" is in any way controlled by ITAR. After all, looked at generously, the "signature" might simply be a plaque or
At 11:18 PM 12/23/96 -0500, Blake Coverett wrote: paper
certificate, saying "this is wonderful software!"
The signature in question (on a Win32 Crypto Service Provider) is embedded in the executable. Certainly I could rip it out and inject it into an unsigned but otherwise identical copy outside the U.S., but that is obviously not going to be legal under ITAR.
Who says "that is obviously not going to be legal under ITAR"? Personal computers themselves are devices which can do encryption, given appropriate software, and yet export of such devices goes on every day. Operating systems are capable of calling programs like PGP, and yet they are exported every day. (This is by no means a trivial issue. If I were to ask you, "Would you rather somebody give you a $1000 computer and FAIL to give you a copy of good encryption software (which is also available, free, on the 'net), or give you the software and FAIL to give you the $1000 computer, I think most people would happily choose the former, knowing that they can easily remedy the former's drawbacks.) Remember, the only reason "signatures" have any significance is if somebody else writes a program which looks for that signature before deciding whether to run a program. If the "signature" involved simply says "Hi there!" (or is sufficiently short as to be easily reverse-engineerable), presumably the fault lies with somebody else, NOT the person who just happens to export 128 bits of value suspiciously identical to a value appended to a domestic copy of the program.
ITAR is wrong and should be abolished, but that sort of weasling isn't going to make something legal under the current laws.
It isn't necessary to "make something legal." Ostensibly, under our legal system, activities are legal unless there is a law to make them illegal. (some would include regulations in this... I don't believe that constitutionally, "regulations" are enforceable against non-government people or corporations.) I believe we should fight to decrease the envelope of what the government tries to force us/keep us from doing. If I had proposed, 10 years ago, that programs be signed (whether or not they had anything to do with crypto), that would have been legally irrelevant under ITAR. I argue that the fact that a program exists, somewhere out there, that looks at the signature before running a program, that cannot per se make the signature non-exportable. (Otherwise, if NO program existed with those characteristics of being able to run that software, presumably that software could be exported freely because it was totally non-functional.) If anything, if the government doesn't want crypto to leave the US, that's their row to hoe and they're gonna fail. Giving ANYONE authority to export a program (or OS, or computer) simply because it first checks a signature, should not be interpreted as to put the onus on everyone else to ensure that the signatures are "legal." Otherwise, it could have been just as effectively argued that once PGP 1.0 had been written, any PC-clone ever built automatically because a device potentially capable of encryption, and thus the government would (arguably) be entitled to prohibit its export. Since the US government hasn't insisted that every computer being exported since 1991 be incapable of running good crypto (example: PGP) presumably that is a valid precedent that merely enabling good crypto does not constitute some sort of automatic ban. A signature enables crypto no more than a CPU or operating system does. I say all this, not because I believe the government CAN'T do this, or WON'T do this, but because there is no precedent (that I know of) restricting the export of small pieces of data. They aren't crypto programs, or anywhere close. The only nexus of restriction is presumably crypto programs, and signatures aren't that! Jim Bell jimbell@pacifier.com