I have a basic puzzlement about this whole war over strong crypto and key escrow. I admit to being relatively crypto unsavvy, but with a strong (but not avid) interest in the subject. Schneier sits on my bookshelf, and I have cracked it a few times, but the prospect of studying it seriously makes me feel slightly gut-sick. I use PGP to communicate (presumably) strong-cryptoed messages to my stepson Ray Hirschfeld in Amsterdam, and vice versa. He uses an internationational version of PGP, and I use the domestic version that I got from MIT. They seem to be compatible. I don't intend to submit my present or future private PGP keys for key escrow (Is that what's called GAK?). To protect myself against forgetting my private key (which has happened once already) I'll no doubt some day put it on a floppy and put the floppy in my bank safe deposit box. Two questions: 1. Does anyone think that legislation might be passed which would criminalize my communications with Ray? 2. Suppose someone writes a program Z that has no expicit crypto code in it, but has hooks for installing one or another version of PGP. Given a copy of Z, someone in this country could install PGP he got from MIT, whereas someone in Europe could install the international version. Would export of Z violate ITAR restrictions? Rollo Silver / Amygdala | e-mail: rollo@artvark.com 216M N. Pueblo Rd, #107 | Website: http://www.artvark.com/artvark/ Taos, NM 87571 USA | Voice: 505-751-9601; FAX: 505-751-7507
Rollo Silver writes: [uses PGP to communicate to Ray]
Two questions:
1. Does anyone think that legislation might be passed which would criminalize my communications with Ray?
It might. Some people in law enforcement/government would really like to see that, Constitution be damned.
2. Suppose someone writes a program Z that has no expicit crypto code in it, but has hooks for installing one or another version of PGP. Given a copy of Z, someone in this country could install PGP he got from MIT, whereas someone in Europe could install the international version. Would export of Z violate ITAR restrictions?
As currently interpreted by NSA/DOJ et al, yes. "Pluggable crypto" is not allowed by the people who enforce ITAR. They might be working towards the eventual police state but they're not stupid. NCSA, when they were about to release a new version of Mosaic that had hooks for PGP, were explicitly told by NSA that they would remove those hooks before the software was released. BTW, no version of PGP is exportable under ITAR; they all use real crypto. The international version exists because of patent problems with RSA and the way that those problems were resolved. I think this is explained in the README that comes with PGP; if not, the book _The Official PGP Users Guide_ by Phil Zimmerman (ISBN 0-262-74017-6) explains it. -- Eric Murray ericm@lne.com ericm@motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
On Thu, 10 Oct 1996 rollo@artvark.com wrote:
Two questions:
1. Does anyone think that legislation might be passed which would criminalize my communications with Ray?
Yes. But I don't think the courts would uphold it in the face of a well-presented constitutional challenge. See http://www.law.miami.edu/~froomkin/articles/clipper.htm
2. Suppose someone writes a program Z that has no expicit crypto code in it, but has hooks for installing one or another version of PGP. Given a copy of Z, someone in this country could install PGP he got from MIT, whereas someone in Europe could install the international version. Would export of Z violate ITAR restrictions?
Yes, but these are currently being challenged in 3 separate court actions. The administration asserts, however, that "hooks" are every bit as unexportable as the real thing. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here.
participants (3)
-
Eric Murray -
Michael Froomkin - U.Miami School of Law -
rolloļ¼ artvark.com