On Wed Apr 3, 1996, John Deters wrote:
At 02:31 PM 4/2/96 -0800, you wrote:
Hello all,
I'm trying to figure out exactly what the laws are regarding the export of software which contains "hooks" for PGP. In various forms, I've heard that it's not the ITAR which prevents this, but more a "suggestion" by the NSA that we "shouldn't do it." Does anyone have any pointers to real legislation/laws regarding this?
There are a number of "PGP Helpers" (If this is Tuesday, it must be PGP) out there. These are other PGP front end applications such as Private Idaho, PGPShell and others that do NOT include PGP, nor do they contain any encryption code within them. These applications are all billed as "freely exportable". If your software does not contain any encryption code, such that it simply "invokes" the users separately-obtained-and-installed copy of PGP, you are not in violation of ITAR. It sounds like this is what you're doing with your "hooks for PGP".
I am not a lawyer. Hooks to encryption code have *sometimes* been considered "ancillary devices" and as such are in violation of ITAR. Calling another executable like pgp *might* be less of an issue than having source code hooks that call crypto library routines, but maybe not. (And no I don't understand why they would be different) NCSA had something related to this in their use of PEM/PGP in httpd. See some info at: http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html which says: Note: As of NCSA HTTPd 1.4.1, support for PEM/PGP encryption was removed in order to bring NCSA in compliance with the Internation Treaty on Arms Reduction to which the United States of America is a signatory. We hope to have an improved version available with NCSA HTTPd 1.5 from an export controlled server. In sum, check with a lawyer. Howard