exporting signatures only/CAPI (was Re: Why not PGP?)

Steve Schear azur at netcom.com
Sat Oct 12 09:07:50 PDT 1996


>Jim Bell <jimbell at pacifier.com> writes:
>> At 08:49 AM 10/11/96 +0100, Adam Back wrote:
>> >  [...].  Microsoft's CAPI arrangement is that they will not
>> >  sign non-US CAPI compliant crypto modules (Examples of enforcement of
>> >  no-hooks interpretation).
>>
>> Does that fix the "export only the signature" problem (for the
>> government)/opportunity (for the rest of us)?   You know, present Microsoft
>> with the software, don't tell them it's already out of the US, and they sign
>> it.  Export the signature only  (who cares if this is legal!) and edit the
>> international software to contain the signature.
>
>Export the lot, signature included :-)
>
>(I doubt exporting only the signature once the story came out would
>offer you any more protection legally than exporting the software).
>
>As you say who cares if it's illegal: things get exported all the
>time.
>
>The problem however, is finding a non-US site to hold the hot potato
>once it has been exported.  For example 128 bit Netscape beta was
>exported a while ago.  I don't see it on any non-US sites.  This is
>due to Netscape's licensing requirements, you need a license to be a
>netscape distribution site, the license doesn't include the right to
>mirror non-exportable versions on non-US sites.
>

That's one good application for remailers, and .warez newsgroups. at.

>If the exported software is `PGP3.0 for CAPI' or whatever, I think it
>should be fair to conclude it will be cheerfully mirrored by all, and
>Phil Zimmermann won't be complaining.  (PGPfone is on ftp.ox.ac.uk,
>plus other places, for example.)  So yes, I agree, for software with
>appropriate distribution licenses.
>
>Another approach, which has been discussed lately is the use of a
>patch to usurp Microsoft as the signatory for CAPI modules.  I wonder
>what Microsoft would say about an unauthorised patch, to fix an ITAR
>induced `bug' in windows.  Bill Gates doesn't sound pro-GAK.  If they
>aren't going to complain, perhaps such patches could be distributed
>widely outside the US also.
>
>The new owner of the CAPI signatory key would need a good reputation,
>and presumably a policy of signing any (non-GAKked) CAPI modules
>signed by microsoft, and anything else that anyone wants signed.
>

An excellent suggestion.









More information about the cypherpunks-legacy mailing list