[666] in cryptography@c2.net mail archive
Re: EAR questions.
daemon@ATHENA.MIT.EDU (Peter Trei)
Thu May 1 10:24:24 1997
From: "Peter Trei" <trei@process.com>
To: das@razor.engr.sgi.com (Anil Das), cryptography@c2.net
Date: Thu, 1 May 1997 10:25:50 -6
Reply-to: trei@process.com
CC: trei@c2.net
> Date: Wed, 30 Apr 1997 23:11:02 -0700
> From: das@razor.engr.sgi.com (Anil Das)
> To: cryptography@c2.net
> Subject: EAR questions.
> I couldn't find a solid answer to the following questions,
> after reading relevent sections of the EAR, and talking to some
> people. I am looking for considered opinions, not legal advice.
>
> 1) Does a software such as the DESCHALL client or Peter Trei's DESKR
> program, in object code form, need a license to be exported? Keep
> in mind that even thought there are some cryptographic functions
> inside the programs, they cannot be directly used to encrypt data,
> nor can they be easily modified (i.e. without reverse engineering)
> to make data encryption possible.
DESKR is not a good example, for two reasons.
1. I distribute it only as a PGP-signed zip file which includes full
sources, as well as a Win32 executable, so users can independently
verify that the code does what it says it does.
2. One of the options is to take challenge data from a user-provided
startup file, and apply a user-supplied key to it. This was done
(again) so that users could verify the operation of the program,
using the RSA-supplied test vector. Thus, it has a
rudimentary capability for general-purpose decryption.
> 2) Does the "printed matter exception" apply only to publications?
> Is it legal, under the EAR, for somebody in the US to print out
> the source code for an encryption program on paper and send it to
> a private party abroad (not a country in the enemies list). Does
> it make any difference whether this is done for monetory compensation?
> Does it make any difference whether the sender intends to keep the
> source code secret between himself and the recipient?
I'm not sure on this one. We're in the Alice-in-Wonderland world of
export regs here, where one of the players (the government) gets to
decide what words mean.
Curiously, the US bans electronic export of crypto source, while
printed books such as AC are exportable. In Britain, 'intangible
export' (ie, electronic) is uncontrolled, while 'tangible export'
such as books IS controlled. Thus, what is legal from the US is
illegal from Britain, and vice versa.
> Anil Das
Since Svend Mikkelsen has finally released sources for his BrydDES
program (see http://inet.uni-c.dk/~svolaf/des.htm), I'm re-evaluating
whether to continue work on DESKR. His code is faster than mine, and
with the source available, people can determine whether it's
trustworthy (I never had serious doubts, but it's a matter of
principle).
Peter Trei
trei@process.com
