keywords: ITAR, SHA, beneficial and innocuous crypto The persistent reputation known as Bill Stewart wrote:
Date: Wed, 04 Sep 1996 23:09:17 -0700 From: Bill Stewart <stewarts@ix.netcom.com> To: Kent Briggs <72124.3234@compuserve.com> Cc: cypherpunks@toad.com Subject: Re: rc2 export limits..
I'm afraid my source is "Read it on the net and was surprised to hear it". My assumption is that the limit is for software that implements both signature and verification, since ITAR doesn't ban export of pure-authentication software.
The FIPS Pub (?180? ?181?) for the Secure Hash Algorithm (SHA) states in the fine print at the beginning that SHA is export controlled. I don't have the document to refer to right now, but it plainly states that SHA falls under ITAR. As a cryptographic hash function, why would it be controlled in this way? How can I use SHA to encrypt something for someone else to decrypt? I know how to use it for authentication; am I missing something here? ANFSCD: I tried that OnNet32 e-mail software from FTP software. It runs under Windows95. It is a lot of material to download, and way too intrusive to install. It wants to metastasize itself into the innards of Microsoft Exchange and Inboxes, etc. What is it with all this complexity anyway? Why not just have a POP client that will check mail on the server? It also wants you to store your mailbox password in it, as opposed to letting you enter it on a session-by-session basis. I don't like that. sticking with PINE, PGP, and Xywrite II for now....