-----BEGIN PGP SIGNED MESSAGE----- Lots of sensible people on cypherpunks have made an excellent point before, but Nelson Minar has said it quite succinctly in the message below, with an outstanding example from Sun, in the post that I'm including here from Perry Metzger's cryptography list. The point it this: There is only one, and completely acceptable, solution to this whole crypto-exportabilty mess: don't export anything. That is, make *only* strong crypto, make it inside your country, and let crypto folks in other countries take care of themselves. The permiability of national borders to the internet will get your actual cryptography overseas if it's novel and useful, and, if you use crypto plugged into your software, like Sun does with Java, then you'll sell more of that software because it *requires* strong cryptography, other people's or not. Geodesic, recursive software auctions with digital bearer-settled cash will eventually make all of this, including intellectual property issues, moot someday :-), but, in the meantime, simply obeying the laws on crypto export will work marvellously. Even in a post- "Adult Action" world, where all laws are enforceable everywhere, obeying them all, will, paradoxically, work just fine, as we'll see in a bit. Of course, all this makes the crypto *import*/arbitrage market, where C2NET made their first million, a mostly diminishing one, whether Wassenaar works or not. Certainly it's not a large enough market to renounce your citizenship for, as one member of their firm has done. This whole export-control tactic will eventually fail, and when crypto is unregulated, either by the market or by law itself, some crypto-fugitives will still be locked out of the largest economies in the world, especially if, however temporary the tactic and doomed to failure it is, nation-states actually criminalize crypto-arbitrage itself. Again, it's not laws, it's technology, which is the solution to this silly, and fairly theocratic, dispute about criminalizing the export of cryptography. Remember the e$yllogism: Strong cryptography is essential to digital commerce. In fact, strong financial cryptography is utterly necessary *and* sufficient for digital commerce. Thus, no strong cryptography, no digital commerce. Since all commerce will have a digital, and thus cryptographic, component soon enough, cryptographic regulation is, like Carl Ellison's analogy of church doctrine forbidding peasants from shooting nobility, fairly useless. Especially since nation-states can't help but allow the use of strong cryptography to facilitate commerce, in the same way that they can't help but allow the use of steel in their railroads. So, I say unto all ye crypto-peasants out there, obey the Doctrine of Crypto-Prohibition, on pain of the loss of your immortal soul. That is, make and use the strongest cryptography that your microprocessors can handle, and, like the peasant who, in confession, admits the shooting of a knight, obey dogma and don't export cryptography: it will "export" itself, like all good ideas do. Cryptography, like the technology of gunpowder -- or better, steel -- is not optional. Cheers, Robert Hettinga - --- begin forwarded text MIME-Version: 1.0 Date: Sat, 5 Dec 1998 18:47:25 -0500 (EST) From: nelson@media.mit.edu (Nelson Minar) To: Raph Levien <raph@acm.org> Cc: cryptography@c2.net Subject: Re: Wassenaar vs. CipherSaber Sender: owner-cryptography@c2.net

I'm spending more and more of my time these days in the free software community (not all that big a leap for a cypherpunk). I'm seeing the "crypto integration" problem all over the place.

This is an issue of serious concern; it's really holding up the adoption of encryption, particularly at the TCP/IP level. An interesting model for how to get around the US regulations is what Sun is doing with Java. Java 1.2 ships with pretty much everything you need for strong, composable cryptography - big numbers, a key management framework, digital signatures. But they're following the letter of the US export regulations. Sun has defined the Java Cryptographic Extensions, a decent API for doing encryption. Bcause they are a US company they only ship a JCE implementation to people in the US. But they've made it about as easy as possible for folks outside the US to implement their own drop-in replacements. One interesting choice they've made is that, as near as I can tell, they aren't even bothering to ship a 40/56 bit crippled version. If you want crypto at all, you have to use Sun's JCE or get a non-US alternative. So you can only get real crypto, not some useless junk. I think that's probably the right idea - don't cave in to the US regulations, just follow them the minimum you have to and make sure it's easy for people outside the US to reimplement the parts you are not allowed to ship. I guess we have to wait and see how much Wassenaar complicates things. nelson@media.mit.edu . . . . . . . . http://www.media.mit.edu/~nelson/ - --- end forwarded text -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.5.5 iQEVAwUBNmqVrcUCGwxmWcHhAQE0zwgAqVUrB7Vu1NVqNHaGHeRTHUB9Z2li7x/m 5eMYUdKu8I3696LCC9CApwHi2vGW39jh0/dUR26+utNQ6MaJEyCrpjA7WpSvaqBQ XGrEPjEN58KQAlGydmjpxxL4ukX606dTKndiTPz5ujRGo1EtshRkB+2NmnUZOYZN +ECDrOylPFkDLDMqLGwqzY9zU79xZMvyIVQvpT2onUzfx3LgyjjC2/ZQbvJmOSsD vk14KbsyL6UEwyaH8FqUZWG/qGgQSALJsLpregApq0QHWl15+rEd+TvqWnyPvDKL cIIz3Cyo0QlwYFQWhg6JiPWRB+GQxaDaMS7QQqZeBqUSJclnVdJH+w== =gpAa -----END PGP SIGNATURE----- ----------------- Robert A. Hettinga <mailto: rah@philodox.com> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'