[Top] [All Lists]

Re: Proposed Extensions to TLS for OpenPGP

1998-01-01 22:09:18
At 7:34 PM -0800 1/1/98, EKR wrote:
You write:
Incidentally, I think this is probably a dangerous course of
action. The EAR <> 7 day review
criteria explicitly state:

  (iv) The software must not allow the alteration of the data 
encryption mechanism and its associated key spaces by the user or 
any other program

It seem that Fortify is a constructive proof that the program
in question violates this criterion. That doesn't mean it's
ineligible for CJ completely but I wouldn't want to try to get
approval for it either.

I'm sure the EAR enforcement folks are well aware of how well or poorly 
various software they approve for export adhere to regulation.  I'll leave 
it to the individual corporations and EAR to soft this out.

The point I was trying to make is that from a practical standpoint
companies like Netscape need change nothing.  Just keep their code
structured the same way and let unrelated 3rd parties "do the dirty
I think we're in violent agreement here, then.

Some companies have a strong idiological calling and need to follow that star 
(i.e., PGP).  Others are spineless jellyfish who go along to get along, hoping 
that this path will keep them in the good graces of the Dept. of Commerce.  
Many fall somewhere in between.  

I don't see Netscape playing the martyr or using PGP/C2's legal guerilla 
tactics to enbable strong crypto systems and applications, it's just not their 
style.  They do seem to be, however, keenly aware of the PR associated with 
championing reliable transaction privacy and the adverse PR from being hacked 
(especially from weak crypto).  Keeping their products hackable, perhaps even 
anonymously supporting those doing the hacking, while staying within the letter 
of the law and publicly and privately pressuring for true crypto reform might 
be their best course.

For many, including myself, guerilla tactics are more attractive due to 
economic factors.  Also, I have less to lose.


PGP mail preferred, see and

RSA fingerprint: FE90 1A95 9DEA 8D61  812E CCA9 A44A FBA9
RSA key:
Steve Schear              | tel: (702) 658-2654
CEO                       | fax: (702) 658-2673
First ECache Corporation  |
7075 West Gowan Road      |
Suite 2148                |
Las Vegas, NV 89129       | Internet: schear(_at_)lvdi(_dot_)net

        I know not what course others may take; but as for me, 
        give me ECache or give me debt!

        "It's your Cache?"

<Prev in Thread] Current Thread [Next in Thread>