Tom Johnston <tomj@microsoft.com>: At 06:07 PM 1/17/96 EST, you wrote:
Two points: the CSP development kit is export-controlled; and signing a CSP developed by a foreign vendor is treated as a export -- so the signature is export-controlled.
We would ship a CSP development kit to a foreign vendor, and sign a CSP developed by the foreign vendor, but only with the appropriate export licenses.
Thanks for your reply to Dr. Vulis's question. I'd recommend examining this policy somewhat critically, for a couple of reasons: 1) Development kits are useful, but if you've got an open, documented interface, it's possible to develop code to use it without the kit. (Ignoring, of course, the risk of smuggling. :-) 2) By "is treated as an export", do you mean by explicit government policy, or by Microsoft? Digital signatures and encrypted documents are perfectly legal to export, as is authentication code to make digital signatures. 3) Consider the case of a contractor who buys the development kit, and gives you code to sign. You have no way to differentiate between code that he developed himself, and code developed by some foreign company that hired him and gave him the code (which is legal to import into the US.) He probably can't legally re-export the code, or export the signed version of it, but he can export the signature itself, since that's not cryptographic code, and the foreign company can reattach it to their original document, which you have now signed.... #-- # Thanks; Bill # Bill Stewart, stewarts@ix.netcom.com, Pager/Voicemail 1-408-787-1281 # # "Eternal vigilance is the price of liberty" used to mean us watching # the government, not the other way around....