[4323] in cryptography@c2.net mail archive
SAFE - HR820 (was Re: new bill getting through congress?
daemon@ATHENA.MIT.EDU (Jim Gillogly)
Fri Mar 12 14:12:33 1999
Date: Fri, 12 Mar 1999 10:43:16 -0800
From: Jim Gillogly <jim@acm.org>
Reply-To: jim@acm.org
To: cryptography@c2.net
Someone responded to this:
>> Unfortunately the bill doesn't go far
>> enough, in that individuals are left out in the cold: it's essentially
>> for the Microsofts and Netscapes of the industry to be exportable.
>
> Everyone always says this, but no one ever says why.
I did say "out in the cold" too broadly. Let me say instead that it
gives the Microsofts and Netscapes what they need in order to provide
strong crypto to most of the world, and it takes the important step of
prohibiting mandatory GAK (not currently on the table but something
that Freeh has threatened to push for if he can't get important evidence
any other way), but doesn't deal with all the concerns that I have
personally have with the export regs. In addition, as I mentioned,
I'm concerned about the "using crypto in a crime is a crime" clause.
My most recent personal interaction with BXA was to inquire about
whether I needed a license to share my research on Enigma (standard
unmodified Wehrmacht and Naval Enigma) with colleagues in Europe and
elsewhere, in source code form. I pointed out that Enigma had been
read regularly by the Allies more than 60 years ago, so it shouldn't
be a particular hindrance to the NSA or FBI. I was told that I would
indeed need to apply for an export license, and it would need to list
all the recipients of the software. Since this is inappropriate for
a mailing list (I can't know who's on it at any particular time or
whether it would be archived in the future), I gave up on the idea.
How does HR850 help me or other crypto researchers who would like to
collaborate with our non-NA colleagues? It still mandates a one-time
15-day technical review, even for items that are generally available
or in the public domain. If I were to put each new working version of
my Enigma source on a web page, is that "generally available" enough to
satisfy the "no license required" clause? Wouldn't I need to take a
two-week side trip through BXA in advance each time I wanted to make
source mods? How would I make it "generally available" before doing
the 15-day technical review without violating the regs? Would I still
need to list all the potential recipients of the software each time?
Several loose ends here, I think.
--
Jim Gillogly
Trewesday, 20 Rethe S.R. 1999, 18:13
12.19.6.0.5, 13 Chicchan 18 Kayab, Fifth Lord of Night
