Re: software with "hooks" for crypto
At 02:31 PM 4/2/96 -0800, you wrote:
Hello all,
I'm trying to figure out exactly what the laws are regarding the export of software which contains "hooks" for PGP. In various forms, I've heard that it's not the ITAR which prevents this, but more a "suggestion" by the NSA that we "shouldn't do it." Does anyone have any pointers to real legislation/laws regarding this?
There are a number of "PGP Helpers" (If this is Tuesday, it must be PGP) out there. These are other PGP front end applications such as Private Idaho, PGPShell and others that do NOT include PGP, nor do they contain any encryption code within them. These applications are all billed as "freely exportable". If your software does not contain any encryption code, such that it simply "invokes" the users separately-obtained-and-installed copy of PGP, you are not in violation of ITAR. It sounds like this is what you're doing with your "hooks for PGP". I would recommend you visit a couple of these helper application sites and check out what their authors say about the exportability of their code. You might ask them if they have encountered any legal difficulties because their code is advertised as freely exportable. Private Idaho is available at www.eskimo.com/~joelm and (rats) you'll have to hunt PGPShell down yourself. If you actually include the RSA algorithms, the IDEA algorithm, or any "cryptographic" code in your software, then yes, you could get in trouble for exporting it. Again, remember that I'm not a lawyer and that any legal advice you get from anyone on the net is worth exactly what you pay for it. -j, is anyone else finding it harder to say the "Pledge of Allegiance" to this country these days? -- J. Deters
From our _1996_Conflict_of_Interest_Statement_, re: our No Gift policy: "If you receive any alcoholic beverages, for example, a bottle of wine, you must give the gift to your location Human Resources Manager." This memo is from the Senior V.P. of Human Resources. +---------------------------------------------------------+ | NET: jad@dsddhc.com (work) jad@pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'33"N by 93^16'42"W Elev. ~=290m (work) | | PGP Key ID: 768 / 15FFA875 | +---------------------------------------------------------+
On Wed Apr 3, 1996, John Deters wrote:
At 02:31 PM 4/2/96 -0800, you wrote:
Hello all,
I'm trying to figure out exactly what the laws are regarding the export of software which contains "hooks" for PGP. In various forms, I've heard that it's not the ITAR which prevents this, but more a "suggestion" by the NSA that we "shouldn't do it." Does anyone have any pointers to real legislation/laws regarding this?
There are a number of "PGP Helpers" (If this is Tuesday, it must be PGP) out there. These are other PGP front end applications such as Private Idaho, PGPShell and others that do NOT include PGP, nor do they contain any encryption code within them. These applications are all billed as "freely exportable". If your software does not contain any encryption code, such that it simply "invokes" the users separately-obtained-and-installed copy of PGP, you are not in violation of ITAR. It sounds like this is what you're doing with your "hooks for PGP".
I am not a lawyer. Hooks to encryption code have *sometimes* been considered "ancillary devices" and as such are in violation of ITAR. Calling another executable like pgp *might* be less of an issue than having source code hooks that call crypto library routines, but maybe not. (And no I don't understand why they would be different) NCSA had something related to this in their use of PEM/PGP in httpd. See some info at: http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html which says: Note: As of NCSA HTTPd 1.4.1, support for PEM/PGP encryption was removed in order to bring NCSA in compliance with the Internation Treaty on Arms Reduction to which the United States of America is a signatory. We hope to have an improved version available with NCSA HTTPd 1.5 from an export controlled server. In sum, check with a lawyer. Howard
participants (2)
-
Howard Melman -
John Deters