Re: Solution for US/Foreign Software?
1. Write a program with limited encryption (40 bit?), with the encryption module in a file external to the main program. 2. Get export approval for this program. 3. Write a module which replaces the encryption file, increasing key size to whatever you REALLY wanted in the first place. (128-bit IDEA, 2000-bit PGP, etc.) 4. Ship that new module with the old software to US customers. Naturally, that new module will "leak," so anybody who buys the old
Tim May replied
"Crypto hooks," basically the scheme you are proposing, were thought of by the authorities and are not a bypass of the crypto export laws.
I had interpreted the suggestion differently - rather than a system with user-accessible crypto hooks, the manufacturer could ship a binary patch upgrade for US customers to install. The internal design would presumably have crypto hooks (i.e. subroutine calls); they can't ban that. Of course, if you follow this strategy, get export approval for version 1.0, and ship the US-only patch as 1.1, getting export approval for version 2.0 may be a shade more difficult... #-- # Thanks; Bill # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281 # Anybody notice that Microsoft's Wide Open Road ad has barbed-wire fences # on both sides of the road?
Bill Stewart writes:
I had interpreted the suggestion differently - rather than a system with user-accessible crypto hooks, the manufacturer could ship a binary patch upgrade for US customers to install. The internal design would presumably have crypto hooks (i.e. subroutine calls); they can't ban that.
No, they can't *ban* it, but there's no reason to suspect that they won't revoke the export license after the scheme becomes clear. And of course the patch itself would not be exportable. If there's a "wink wink nudge nudge" implication that the patch would make its way overseas, I don't understand why that's really any more likely than the US-only version getting out. Note that the USGov puts definite explicit heat on corporations to make it clear that they're serious about this stuff. The responsible VP for such things at one company with which I'm familiar was explicitly reminded that he could personally be held criminally liable for any transgressions of the export laws. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
participants (2)
-
Bill Stewart -
m5@dev.tivoli.com