From owner-spki@c2.net Mon Feb 22 04:30:13 1999 Received: from blacklodge.c2.net (blacklodge.c2.net [140.174.185.245]) by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id EAA12471; Mon, 22 Feb 1999 04:30:11 -0500 (EST) Received: (from majordom@localhost) by blacklodge.c2.net (8.8.8/8.7.3) id AAA02812 for spki-outgoing; Mon, 22 Feb 1999 00:17:33 -0800 (PST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: spki@c2.net Subject: Re: MIT implementation sources? Cc: cpovey@dstc.qut.edu.au, frantz@netcom.com Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz Date: Mon, 22 Feb 1999 21:16:39 (NZDT) Message-ID: <91967139906717@cs26.cs.auckland.ac.nz> Sender: owner-spki@c2.net Precedence: bulk >>>My reading of the latest Wasenaar (sp?) agreement is that authentication >>>only systems are completely de-controlled. As such, unless you are in one >>>of the 5 really bad guy countries, export/import is completely legal. >> >>Hmm, are you sure that Wassenaar allows export of sources? If memory serves >>correctly, only binary code is granted export if it meets the criteria. > >I've been working on the theory that source, being more like speech than >object code, is certainly exportable if object code is. I didn't see >anything in the Wassenaar agreement about source vs. object, but I could have >missed it. Like a lot of Wassenaar, what is and isn't controlled is whatever your government says is or isn't controlled. In particular, source code can be controlled even though the equivalent object code isn't controlled because it's possible to take crippled or authentication-only source and turn it into a non-crippled or crypto-capable program. I know that both the US and NZ governments treat source as being more dangerous than object code, and often won't allow source code to be exported even if the equivalent object code is exportable. If the SPKI code contains RSA signature code for any key size, it's almost certainly controlled, since it's trivial to turn it into strong encryption code. Peter.