[915] in cryptography@c2.net mail archive
RE: PGP approved for export
daemon@ATHENA.MIT.EDU (Herb Sutter)
Thu May 29 13:32:04 1997
From: Herb Sutter <HerbS@CNTC.com>
To: "'cryptography@c2.net'" <cryptography@c2.net>
Date: Thu, 29 May 1997 13:16:21 -0400
[Note: below I've included the updated news.com story as of 7am this
morning, and a copy of PGP Inc.'s press release and the restricted
list.]
Note that this is NOT really full/blanket export approval (mod
embargoes). It is export approval for only the foreign offices of about
100 specifically named U.S. firms.
Here's the updated text from
http://www.news.com/News/Item/0,4,11048,00.html?ticker.ms.ie40 :
update The U.S. government has granted an
encryption export license to one of the biggest
thorns in its side.
Pretty Good Privacy says it has won approval to
export strong encryption technology overseas. The
license allows PGP to export technology up to 128
bits without a key recovery plan; the government's
regular licenses limit exports to 56 bits.
Key recovery means that the cryptographic keys
used to decode encrypted information must be
available by court order if a law enforcement
agency needs access to the encrypted data.
PGP's founder, cryptographer Phil Zimmermann,
became something of a cause celebre when his
PGP technology was posted on the Net in defiance
of laws prohibiting international distribution of
encryption technology. Zimmermann came close to
being charged before the government dropped its
case.
To date, the government has approved only 128-bit
encryption exports for technology that protects
financial transactions, but PGP technology can
encrypt any kind of digital communication, including
its email product, now called Personal Privacy. The
company said that more than half of the Fortune
100 companies use its email software.
> The export license does not cover foreign offices of
> U.S. firms in embargoed countries, namely Cuba,
> Iran, Iraq, Libya, North Korea, Sudan, or Syria.
> PGP said it still opposes export controls on
> encryption products but welcomed the permission
> as a boon to encryption needs of U.S. firms
> overseas.
The company still has another old foe to worry
about. Encryption software giant RSA Data
Security earlier this month filed a lawsuit against
PGP. The suit alleges that PGP is unlawfully using
RSA technology licensed to Lemcom before its
merger with PGP in 1996. PGP officials say RSA's
claims are without merit.
Here's the PGP press release from http://www.pgp.com/newsroom/prel34.cgi
:
Press Release
Pretty Good Privacy Receives Government Approval to Export Strong
Encryption
SAN MATEO, Calif., May 28, 1997 -- Pretty Good Privacy, Inc.
(www.pgp.com), the
world leader in digital privacy and security software, today
announced that the U.S.
Department of Commerce has approved the export of Pretty Good
Privacy's encryption
software to the overseas offices of the largest companies in the
United States. This makes
Pretty Good Privacy the only U.S. company currently authorized to
export strong encryption
technology not requiring key recovery to foreign subsidiaries and
branches of the largest
American companies.
Click here to view the list of approved companies.
The approval allows Pretty Good Privacy to export strong, 128-bit
encryption without a
requirement that the exported products contain key recovery
features or other back doors
that enable government access to keys. More than one-half of the
Fortune 100 already use
PGP domestically to secure their corporate data and
communications.
"Now we are able to export strong encryption technology to the
overseas offices of more
than 100 of the largest companies in America, without compromising
the integrity of the
product or the strength of the encryption," said Phil
Dunkelberger, President of Pretty Good
Privacy, Inc. "We worked closely with the State Department when
they controlled the
export of encryption, and are now working with the Commerce
Department. And we have
never had a license application denied."
The license allows export of strong encryption technology, without
government access to
keys, to the overseas subsidiaries and branch offices of more than
100 of the largest
American companies, provided that the offices are not located in
embargoed countries,
namely Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
"As far as we know, Pretty Good Privacy, Inc. is now the only
company that has U.S.
government approval to sell strong encryption to the worldwide
subsidiaries and branch
offices of such a large number of U.S. corporations, without
having to compromise on the
strength of the encryption or add schemes designed to provide
government access to keys,"
said Robert H. Kohn, vice president and general counsel of Pretty
Good Privacy. "Pretty
Good Privacy still opposes export controls on cryptographic
software, but this license is a
major step toward meeting the global security needs of American
companies."
The U.S. government restricts the export of encryption using key
lengths in excess of 40
bits. However, 40-bit cryptography is considered "weak," because
it can be broken in just a
few hours. Generally, the U.S. government will grant export
licenses for up to 56-bit
encryption if companies commit to develop methods for government
access to keys. For
anything over 56 bits, actual methods for government access must
be in place.
Pretty Good Privacy's license permits the export of 128-bit or
"strong" encryption, without
any requirement of a key recovery mechanism that enables
government access to the data.
A message encrypted with 128-bit PGP software is
309,485,009,821,341,068,724,781,056 times more difficult to break
than a message
encrypted using 40-bit technology. In fact, according to estimates
published by the U.S.
government, it would take an estimated 12 million times the age of
the universe, on average,
to break a single 128-bit message encrypted with PGP.
"Pretty Good Privacy, Inc. has been working diligently to ensure
compliance with the export
control laws. Clearly, the Commerce Department recognizes the
needs of reputable
American companies to protect their intellectual property and
other sensitive business
information using strong cryptography," said Roszel C. Thomsen II,
partner at the law firm of
Thomsen and Burke LLP.
"User demand for strong cryptography is growing worldwide," said
Marc Rotenberg,
director of Electronic Privacy Information Center, and a leading
privacy-rights advocate.
"This is just one more example of the need to remove obstacles to
the export of the best
products the U.S. can provide."
> Companies that are approved for the export of Pretty Good
Privacy's strong encryption
> should contact Pretty Good Privacy's sales office at 415.572.0430
or visit the company's
> web site at www.pgp.com. Companies that are not currently on the
list of licenses obtained
> by Pretty Good Privacy, but would like to gain approval to use
strong encryption in their
> branch offices and subsidiaries around the world, should also
contact Pretty Good Privacy
> at 415.572.0430 for information about how to be included in future
government-approved
> export licenses for PGP.
About Pretty Good Privacy, Inc.
Pretty Good Privacy (www.pgp.com), founded in March 1996, is the
leading provider of
digital-privacy products for private communications and the secure
storage of data for
businesses and individuals. Pretty Good Privacy's original
encryption software for email
applications (PGP) was distributed as freeware in 1991 by Phil
Zimmermann, Chief
Technical Officer and Founder of Pretty Good Privacy, and allowed
individuals, for the first
time, to send information without risk of interception. With
millions of users, it has since
become the world leader in email encryption and the de facto
standard for Internet mail
encryption. Over one half of the Fortune 100 companies use PGP. In
order to provide only
the strongest encryption software, Pretty Good Privacy publishes
all of its encryption source
code and algorithms for extensive peer review and public scrutiny.
The company can be
reached at 415.572.0430; http://www.pgp.com.
For more information, please contact Mike Nelson, Pretty Good
Privacy's Director of
Corporate Communications, at 415.524.6203.
And here's the restricted list of companies from
http://www.pgp.com/newsroom/complist.cgi :
Companies approved for export of Pretty Good Privacy encryption
software.
AMR-- NYSE:AMR
AT&T-- NYSE:T
Aetna Life & Casualty-- NYSE:AET
Albertson's-- NYSE:ABS
Alcoa-- NYSE:AA
AlliedSignal-- NYSE:ALD
Allstate-- NYSE:ALL
American Express-- NYSE:AXP
American Home Products-- NYSE: AHP
American International Group-- NYSE:AIG
American Stores-- NYSE:ASC
Ameritech-- NYSE: AIT
Amoco-- NYSE:AN
Anheuser-Busch-- NYSE:BUD
Archer Daniels Midland-- NYSE:ADM
Atlantic Richfield-- NYSE:ARC
BankAmerica Corp-- NYSE:BAC
Bechtel National, Inc.
Bell Atlantic-- NYSE: BEL
BellSouth-- NYSE:BLS
Boeing-- NYSE:BA
Bristol-Myers Squibb-- NYSE:BMY
Catepillar-- NYSE:CAT
Chemical Banking Corp.
Chevron-- NYSE:CHV
Chrysler-- NYSE:C
Cigna-- NYSE:CI
Citicorp-- NYSE:CCI
Coca-Cola-- NYSE:KO
Columbia/HCA Healthcare-- NYSE:COL
Compaq Computer-- NYSE:CPQ
ConAgra-- NYSE:CAG
Dayton Hudson-- NYSE:DH
Delta Air Lines-- NYSE:DAL
Digital Equipment-- NYSE:DEC
Dow Chemical-- NYSE:DOW
E.I. Du Pont de Nemours-- NYSE:DD
Eastman Kodak-- NYSE:EKE
Estee Lauder Companies-- NYSE: EL
Exxon-- NYSE:XON
Fed. Natl. Mortgage Assn-- NYSE:FNM
Federated Department Stores-- NYSE:FD
Fleming-- NYSE:FLM
Ford Motor-- NYSE: F
GE Capital Aviation Services
GTE-- NYSE:GTE
General Electric-- NYSE:GE
General Motors-- NYSE: GM
Georgia-Pacific-- NYSE:GP
Goldman, Sachs & Co.
Goodyear Tire & Rubber-- NYSE: GT
Hewlett-Packard-- NYSE:HWP
Home Depot-- NYSE:HD
IBP-- NYSE:IBP
ITT Hartford Group-- NYSE:ITT
Intel-- NASDAQ: INTC
International Business Machines-- NYSE:IBM
International Paper-- NYSE:IP
J.C. Penney-- NYSE:JCP
J.P. Morgan & Co.-- NYSE:JPM
Johnson & Johnson-- NYSE:JNJ
Kimberly-Clark-- NYSE:KMB
Kmart-- NYSE:KM
Kroger-- NYSE:KR
Lehman Brothers Holdings-- NYSE: LEH
Lockheed Martin-- NYSE:LMT
Loews-- NYSE:LTR
MCI Communications-- NASDAQ:MCIC
May Department Stores-- NYSE:MAY
McDonnell Douglas-- NYSE:MD
McKesson-- NYSE: MCK
Merck-- NYSE:MRK
Merrill Lynch-- NYSE:MER
Metropolitan Life Insurance
Minnesota Mining & Mfg.-- NYSE:MMM
Mobil-- NYSE:MOB
Morgan, Lewis & Bockius
Motorola-- NYSE:MOT
NYNEX-- NYSE: NYN
NationsBank Corp.-- NYSE:NB
New York Life Insurance-- NASDAQ: MONY
PepsiCo-- NYSE:PEP
Philip Morris-- NYSE:MO
Phillips Petroleum-- NYSE: P
Photronics, Inc.-- NASDAQ: PLAB
PriceCostco-- NASDAQ: COST
Proctor & Gamble-- NYSE:PG
Prudential Ins. Co. of America
RJR Nabisco Holdings-- NYSE:RN
Rockwell International-- NYSE:ROK
SBC Communications-- NYSE:SBC
Safeway-- NYSE:SWY
Sara Lee-- NYSE:SLE
Sears Roebuck-- NYSE:S
Sprint-- NYSE:FON
State Farm Group
Supervalu-- NYSE:SVU
TRW-- NYSE:TRW
Texaco-- NYSE:TX
Texas Instruments-- NYSE: TXN
Travelers Group-- NYSE:TRV
UAL-- NYSE:UAL
USX-- NYSE:X
United Parcel Service
United Technologies-- NYSE:UTX
Wal-Mart-- NYSE: WMT
Xerox-- NYSE:XRX
