Re: Java Crypto API questions
At 8:15 5/31/96, Moltar Ramone wrote:
My guess would be that the first of these two points answers the second. Everything is exportable -- except signed third-party security packages. My bet would be that the exportable code would not be more than RC4-40 or perhaps 1DES, but that a signed package would go to RC4-128, 3DES, and RSA-1024. However, the signature on that package would be on the condition that the vendor/distributor of that package follow all export regulations.
Where does this leave foreign vendors? Will Sun sign the 3DES package of a foreign vendor? Disclaimer: My opinions are my own, not those of my employer. -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred.
On Fri, 31 May 1996, Lucky Green wrote:
At 8:15 5/31/96, Moltar Ramone wrote:
My guess would be that the first of these two points answers the second. Everything is exportable -- except signed third-party security packages. My bet would be that the exportable code would not be more than RC4-40 or perhaps 1DES, but that a signed package would go to RC4-128, 3DES, and RSA-1024. However, the signature on that package would be on the condition that the vendor/distributor of that package follow all export regulations.
Where does this leave foreign vendors? Will Sun sign the 3DES package of a foreign vendor?
Probably. But they won't be able to export the signed 3DES package :) It leaves foreign vendors in trouble, is where. ---------- Jon Lasser (410)532-7138 - Obscenity is a crutch for jlasser@rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA.
Moltar Ramone writes:
Probably. But they won't be able to export the signed 3DES package :) It leaves foreign vendors in trouble, is where.
Sun can export the signature though. The vendor already has the package, they just need the sig/cert... andrew
Andrew Loewenstern wrote:
Moltar Ramone writes:
Probably. But they won't be able to export the signed 3DES package :) It leaves foreign vendors in trouble, is where.
Sun can export the signature though. The vendor already has the package, they just need the sig/cert...
Not likely. Sun will probably be required to agree not to do this as a condition of exporting software with "pluggable crypto". Software with hooks for crypto functions is treated the same as the actual crypto as far as the ITAR is concerned. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
On Mon, 3 Jun 1996, Jeff Weinstein wrote:
Andrew Loewenstern wrote:
Sun can export the signature though. The vendor already has the package, they just need the sig/cert...
Not likely. Sun will probably be required to agree not to do this as a condition of exporting software with "pluggable crypto". Software with hooks for crypto functions is treated the same as the actual crypto as far as the ITAR is concerned.
When Microsoft announced their crypto API, they also announced that their signatures on crypto modules would be export-restricted. According to e-mail I received from a Microsoft employee on the project, the act of signing was considered a "defense service" under ITAR, so exporting the signature would somehow be performing defense services for foreign persons. It makes slightly less sense to me than the rest of the crypto export restrictions do, but I guess that's the deal that Microsoft worked out with the Feds in order to be allowed to do a crypto API at all. Joe
participants (5)
-
Andrew Loewenstern -
Jeff Weinstein -
Moltar Ramone -
RHS Linux User -
shamrock@netcom.com