At 08:49 AM 10/11/96 +0100, Adam Back wrote:
- what they care to enforce
NCSA Mosaic had a PGP signature checking hook, they were told to take it out. Microsoft's CAPI arrangement is that they will not sign non-US CAPI compliant crypto modules (Examples of enforcement of no-hooks interpretation).
Does that fix the "export only the signature" problem (for the government)/opportunity (for the rest of us)? You know, present Microsoft with the software, don't tell them it's already out of the US, and they sign it. Export the signature only (who cares if this is legal!) and edit the international software to contain the signature. Jim Bell jimbell@pacifier.com
Jim Bell <jimbell@pacifier.com> writes:
At 08:49 AM 10/11/96 +0100, Adam Back wrote:
[...]. Microsoft's CAPI arrangement is that they will not sign non-US CAPI compliant crypto modules (Examples of enforcement of no-hooks interpretation).
Does that fix the "export only the signature" problem (for the government)/opportunity (for the rest of us)? You know, present Microsoft with the software, don't tell them it's already out of the US, and they sign it. Export the signature only (who cares if this is legal!) and edit the international software to contain the signature.
Export the lot, signature included :-) (I doubt exporting only the signature once the story came out would offer you any more protection legally than exporting the software). As you say who cares if it's illegal: things get exported all the time. The problem however, is finding a non-US site to hold the hot potato once it has been exported. For example 128 bit Netscape beta was exported a while ago. I don't see it on any non-US sites. This is due to Netscape's licensing requirements, you need a license to be a netscape distribution site, the license doesn't include the right to mirror non-exportable versions on non-US sites. If the exported software is `PGP3.0 for CAPI' or whatever, I think it should be fair to conclude it will be cheerfully mirrored by all, and Phil Zimmermann won't be complaining. (PGPfone is on ftp.ox.ac.uk, plus other places, for example.) So yes, I agree, for software with appropriate distribution licenses. Another approach, which has been discussed lately is the use of a patch to usurp Microsoft as the signatory for CAPI modules. I wonder what Microsoft would say about an unauthorised patch, to fix an ITAR induced `bug' in windows. Bill Gates doesn't sound pro-GAK. If they aren't going to complain, perhaps such patches could be distributed widely outside the US also. The new owner of the CAPI signatory key would need a good reputation, and presumably a policy of signing any (non-GAKked) CAPI modules signed by microsoft, and anything else that anyone wants signed. Adam -- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)
participants (2)
-
Adam Back -
jim bell