e$: Cryptography -- The Steel Rails of Digital Commerce

Robert Hettinga rah at shipwright.com
Sun Dec 6 07:17:31 PST 1998



-----BEGIN PGP SIGNED MESSAGE-----


Lots of sensible people on cypherpunks have made an excellent point before,
but Nelson Minar has said it quite succinctly in the message below, with an
outstanding example from Sun, in the post that I'm including here from Perry
Metzger's cryptography list.

The point it this: There is only one, and completely acceptable, solution to
this whole crypto-exportabilty mess: don't export anything. That is, make
*only* strong crypto, make it inside your country, and let crypto folks in
other countries take care of themselves. The permiability of national borders
to the internet will get your actual cryptography overseas if it's novel
and useful, and, if you use crypto plugged into your software, like Sun
does with Java, then you'll sell more of that software because it
*requires* strong cryptography, other people's or not.

Geodesic, recursive software auctions with digital bearer-settled cash will
eventually make all of this, including intellectual property issues, moot
someday :-), but, in the meantime, simply obeying the laws on crypto export
will work marvellously. Even in a post- "Adult Action" world, where all
laws are enforceable everywhere, obeying them all, will, paradoxically,
work just fine, as we'll see in a bit.


Of course, all this makes the crypto *import*/arbitrage market, where C2NET
made their first million, a mostly diminishing one, whether Wassenaar works
or not. Certainly it's not a large enough market to renounce your citizenship
for, as one member of their firm has done. This whole export-control tactic
will eventually fail, and when crypto is unregulated, either by the market
or by law itself, some crypto-fugitives will still be locked out of the
largest economies in the world, especially if, however temporary the tactic
and doomed to failure it is, nation-states actually criminalize
crypto-arbitrage itself.


Again, it's not laws, it's technology, which is the solution to this silly,
and fairly theocratic, dispute about criminalizing the export of cryptography.

Remember the e$yllogism: Strong cryptography is essential to digital commerce.
In fact, strong financial cryptography is utterly necessary *and* sufficient
for digital commerce. Thus, no strong cryptography, no digital commerce.

Since all commerce will have a digital, and thus cryptographic, component
soon enough, cryptographic regulation is, like Carl Ellison's analogy of
church doctrine forbidding peasants from shooting nobility, fairly useless.
Especially since nation-states can't help but allow the use of strong
cryptography to facilitate commerce, in the same way that they can't help
but allow the use of steel in their railroads.


So, I say unto all ye crypto-peasants out there, obey the Doctrine of
Crypto-Prohibition, on pain of the loss of your immortal soul. That is,
make and use the strongest cryptography that your microprocessors can
handle, and, like the peasant who, in confession, admits the shooting of a
knight, obey dogma and don't export cryptography: it will "export" itself,
like all good ideas do.

Cryptography, like the technology of gunpowder -- or better, steel -- is not
optional.


Cheers,
Robert Hettinga



- --- begin forwarded text


MIME-Version: 1.0
Date: Sat, 5 Dec 1998 18:47:25 -0500 (EST)
From: nelson at media.mit.edu (Nelson Minar)
To: Raph Levien <raph at acm.org>
Cc: cryptography at c2.net
Subject: Re: Wassenaar vs. CipherSaber
Sender: owner-cryptography at c2.net

>I'm spending more and more of my time these days in the free software
>community (not all that big a leap for a cypherpunk). I'm seeing the
>"crypto integration" problem all over the place.

This is an issue of serious concern; it's really holding up the
adoption of encryption, particularly at the TCP/IP level.

An interesting model for how to get around the US regulations is what
Sun is doing with Java. Java 1.2 ships with pretty much everything you
need for strong, composable cryptography - big numbers, a key
management framework, digital signatures.

But they're following the letter of the US export regulations. Sun has
defined the Java Cryptographic Extensions, a decent API for doing
encryption. Bcause they are a US company they only ship a JCE
implementation to people in the US. But they've made it about as easy
as possible for folks outside the US to implement their own drop-in
replacements.

One interesting choice they've made is that, as near as I can tell,
they aren't even bothering to ship a 40/56 bit crippled version. If
you want crypto at all, you have to use Sun's JCE or get a non-US
alternative. So you can only get real crypto, not some useless junk.

I think that's probably the right idea - don't cave in to the US
regulations, just follow them the minimum you have to and make sure
it's easy for people outside the US to reimplement the parts you are
not allowed to ship.

I guess we have to wait and see how much Wassenaar complicates things.

                                                  nelson at media.mit.edu
.       .      .     .    .   .  . . http://www.media.mit.edu/~nelson/

- --- end forwarded text

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.5

iQEVAwUBNmqVrcUCGwxmWcHhAQE0zwgAqVUrB7Vu1NVqNHaGHeRTHUB9Z2li7x/m
5eMYUdKu8I3696LCC9CApwHi2vGW39jh0/dUR26+utNQ6MaJEyCrpjA7WpSvaqBQ
XGrEPjEN58KQAlGydmjpxxL4ukX606dTKndiTPz5ujRGo1EtshRkB+2NmnUZOYZN
+ECDrOylPFkDLDMqLGwqzY9zU79xZMvyIVQvpT2onUzfx3LgyjjC2/ZQbvJmOSsD
vk14KbsyL6UEwyaH8FqUZWG/qGgQSALJsLpregApq0QHWl15+rEd+TvqWnyPvDKL
cIIz3Cyo0QlwYFQWhg6JiPWRB+GQxaDaMS7QQqZeBqUSJclnVdJH+w==
=gpAa
-----END PGP SIGNATURE-----
-----------------
Robert A. Hettinga <mailto: rah at philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'






More information about the cypherpunks-legacy mailing list