On Thu, 30 May 1996, Lucky Green wrote:

o "Security Packages must be signed. Policy for signing is public and open." I assume the packages must be signed by Sun. How much will it cost to have a package signed? How do I obtain a copy of this "public and open" policy?

o "Exportable API. Exportable applications." One code example shows performing a DES encryption. Another slide mentions "Support for [...] RSA." This is exportable? What am I missing?

My guess would be that the first of these two points answers the second. Everything is exportable -- except signed third-party security packages. My bet would be that the exportable code would not be more than RC4-40 or perhaps 1DES, but that a signed package would go to RC4-128, 3DES, and RSA-1024. However, the signature on that package would be on the condition that the vendor/distributor of that package follow all export regulations. This is the way Micro$oft's CAPI is supposed to work; it's got commodities jurisdiction approval already, my bet is Sun can get the same. ---------- Jon Lasser (410)532-7138 - Obscenity is a crutch for jlasser@rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA.