Java Crypto API questions

jim bell jimbell at pacifier.com
Mon Jun 3 17:48:37 PDT 1996


At 11:20 AM 6/3/96 -0400, RHS Linux User wrote:
>
>
>On Mon, 3 Jun 1996, Jeff Weinstein wrote:
>
>> Andrew Loewenstern wrote:
>> > 
>> > Sun can export the signature though.  The vendor already has the package,
>> > they just need the sig/cert...
>> 
>>   Not likely.  Sun will probably be required to agree not to do this
>> as a condition of exporting software with "pluggable crypto".  Software
>> with hooks for crypto functions is treated the same as the actual crypto
>> as far as the ITAR is concerned.
>
>When Microsoft announced their crypto API, they also announced that their 
>signatures on crypto modules would be export-restricted.

That doesn't mean that they are, LEGALLY, export-restricted.  Microsoft 
can't generally bind third parties to agreements with the government.  Even 
in circumstances where it might appear that they can enter into an agreement 
with a customer, Microsoft is sufficiently big that any terms it forces on 
customers are automatically suspect of being oppressive, especially if there 
is no valid business reason for a particular restriction.  Besides, a 
violation of any such agreement is merely a violation of an agreement with 
Microsoft, not the USG.   It is unlikely Microsoft is going to take 
individual customers of their customer to court for violation of some 
no-export agreement.

>  According to 
>e-mail I received from a Microsoft employee on the project, the act of 
>signing was considered a "defense service" under ITAR, so exporting the 
>signature would somehow be performing defense services for foreign 
>persons. 

Even if it is arguable that the signing of a piece of software constitutes a 
"defense service," that service is performed for somebody, domestically, who 
delivers that software to Microsoft.  Once that software is signed, the 
"defense service" is over and done with.  At that point, you merely have an 
object, a signature, which cannot encrypt or decrypt data.  It is even less 
useful than a microprocessor or RAM at facilitating encryption.

 It makes slightly less sense to me than the rest of the crypto 
>export restrictions do, but I guess that's the deal that Microsoft worked 
>out with the Feds in order to be allowed to do a crypto API at all.

I think you've hit the nail on the head:  The Feds were well aware that 
Microsoft had plenty of money to challenge them in court, and they would 
almost certainly have lost.  So the Feds gave in on the API issue, and in 
exchange Microsoft agreed to publicly state that "the signatures on crypto 
modules would be export-restricted."  Doesn't make it so.

Jim Bell
jimbell at pacifier.com






More information about the cypherpunks-legacy mailing list