I got an announcement last week of a presentation early this week at my place of work on the subject of cryptographic export controls, shortly before the cripple chip announcement was made. This struck me as at least suspicious. Well, turns that the timing was something of a coincidence; it was just a generic presentation on the current sorry state of the export regulations, by one who had to deal with them day in and day out. He seemed to have the right attitude towards "working the regulations" and what they should be, and had been involved in a few meetings with NSA-types. He commented that things have been getting better -- it used to be that they'd refuse to meet with you over the subject of exporting DES; now, they'll meet with you and just refuse to talk about it. The justification for ignoring the current wide availability of strong crypto outside the U.S. was that if they prevent strong crypto from falling into the hands of *one* bad guy, they will have accomplished something... He mentioned that the Software Publishers Association deal (where companies can now export software using crippled versions of RC2 and RC4 on short notice) was a surprise to him and much of the non-PC software industry and represented an almost complete capitulation on the SPA's part. It was also uninteresting to my employer as we aren't interested in using trivially breakable crypto in our products, and the quick turnaround is pretty much meaningless given the amount of lead time needed to get a product out the door. He also mentioned an upcoming amendment to the next version of the law which authorizes the ITAR and the commerce equivalent which would specifically allow the export of generally available encryption software; he didn't hold out much hope for it passing but considered it worth fighting for. He was also taken by surprise by the cripple chip announcement, and also considered it a bad and ominous thing... - Bill
participants (1)
-
Bill Sommerfeld