re:using PGP only for digital signatures
Hello, I am in a discussion (during the week) with a system administrator about seeing if we can just make PGP publically available to everyone, but now the discussion seems to be to just allow PGP to do digital signatures, and I don't think that is the best choice, then. They are not against PGP being used, but there are legal issues as to whether they can offer it to everyone, as some students are international students, and are not allowed to use the version for the US, or so I have been informed, so now I need to see if we can have the international version, so these students can use it. :( Is there any good programs (for the Unix, SunOS) that just does digital signature encryption? What they are trying to do is make certain that no one can send a message to anyone, claim to be in the faculty, and cause problems that way. My position is just a student programmer, but I am trying to learn as much as I can, to answer questions and deal with problems. Thanx. James Black black@suntan.eng.usf.edu
Well, MIT does make PGP available to any and all students and staff! The opinion I've heard is that if the US gov't doesn't want an international student at MIT to use the code, they should keep that student from coming to the US. By allowing the student into the US, the gov't is implicitly giving them the right to use PGP within the US. It is still illegal for them to export it, however any foreign national can walk up to any computer store and by anything they wish, and take it on the plane with them. Therefore, in an institution of higher learning, the same standards should be allowed. If the government does not want your student to have access to possibly "dangerous" information, then they should not be allowed into the country at all. Therefore, I say just make PGP available to your students. -derek
On Sat, 4 Nov 1995, Derek Atkins wrote:
student from coming to the US. By allowing the student into the US, the gov't is implicitly giving them the right to use PGP within the US.
This is kind of a risky policy to take. The general feeling I get that allowing non green-card holders access to strong cryptography is sort of decriminalised, in that the police aren't likely to break down your door and have your AFS server accidentaly fall down stairs. However, it is still against the law, and could be used against the university in other unrelated circumstances. It seems that licences allowing foreign nationals access to cryptographic software within the US are pretty easy to get, and especially for something like PGP on a central machine. Simon // My name is Spero, Simon Spero - licence to encrypt
This is kind of a risky policy to take. The general feeling I get that allowing non green-card holders access to strong cryptography is sort of decriminalised, in that the police aren't likely to break down your door and have your AFS server accidentaly fall down stairs. However, it is still against the law, and could be used against the university in other unrelated circumstances.
Actually, its not. There is precedent, in that at one point (rumour mode on -- I have not verified this story) MIT was asked to not allow certain students into the MIT nuclear reactor. These international students had been accepted into the Nuclear Engineering program, which sort of requires them to have access. MIT's response was to tell the gov't that if they didn't want to let these students have access to the nuclear reactor, then they should not be allowed in the country, since MIT will not discriminate against students based on silly criteria such as where they live. The state department said they couldn't do that, since they had nothing to keep the students out of the country. MIT responded that they couldnt do it either, and the gov't backed down. I'm not convinced that it is as risky as you say. Besides, MIT does have a lot of political power, so they are more likely to get away with it than other places might. However I think it is a reasonable position for an educational institution to take. -derek
Simon Spero writes: : It seems that licences allowing foreign nationals access to cryptographic : software within the US are pretty easy to get, and especially for : something like PGP on a central machine. Really? Would you please explain how one can apply for such a license? To say nothing about how one can actually get one? Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu
Hello, On Sat, 4 Nov 1995, Derek Atkins wrote:
It is still illegal for them to export it, however any foreign national can walk up to any computer store and by anything they wish, and take it on the plane with them. Therefore, in an institution of higher learning, the same standards should be allowed. If the government does not want your student to have access to possibly "dangerous" information, then they should not be allowed into the country at all.
Therefore, I say just make PGP available to your students.
I'm trying, but all the legal angles need to be covered first. This answer helped a great deal though. Just remember, I am just an undergrad student. :) Thanx. James Black
James Black writes:
I am in a discussion (during the week) with a system administrator about seeing if we can just make PGP publically available to everyone, but now the discussion seems to be to just allow PGP to do digital signatures, and I don't think that is the best choice, then. They are not against PGP being used, but there are legal issues as to whether they can offer it to everyone, as some students are international students, and are not allowed to use the version for the US, or so I have been informed, so now I need to see if we can have the international version, so these students can use it. :(
Actually, nothing in the ITAR says foreigners can't USE the U.S. version of PGP, just that you can't give them the software. However, I think it is a bad idea to make PGP available on a multiuser computer. It encourages a very, very bad habit -- that of using PGP on a multiuser computer....
What they are trying to do is make certain that no one can send a message to anyone, claim to be in the faculty, and cause problems that way.
But since you are using this software on a multiuser computer over likely insecure lines, or, even worse, over an insecure LAN, all you are going to do is make things even stickier when someone steals a key and starts pretending to be some faculty member anyway. Don't use public key software on untrusted hardware over insecure links. Its a BAD BAD BAD thing. Perry
participants (5)
-
Derek Atkins -
James Black -
Perry E. Metzger -
Peter D. Junger -
Simon Spero