At 7:34 PM -0800 1/1/98, EKR wrote:
You write:
Incidentally, I think this is probably a dangerous course of
action. The EAR <http://www.bxa.doc.gov/supp6.htm> 7 day review
criteria explicitly state:
(iv) The software must not allow the alteration of the data
encryption mechanism and its associated key spaces by the user or
any other program
It seem that Fortify is a constructive proof that the program
in question violates this criterion. That doesn't mean it's
ineligible for CJ completely but I wouldn't want to try to get
approval for it either.
I'm sure the EAR enforcement folks are well aware of how well or poorly
various software they approve for export adhere to regulation. I'll leave
it to the individual corporations and EAR to soft this out.
The point I was trying to make is that from a practical standpoint
companies like Netscape need change nothing. Just keep their code
structured the same way and let unrelated 3rd parties "do the dirty
work."
I think we're in violent agreement here, then.
Some companies have a strong idiological calling and need to follow that star
(i.e., PGP). Others are spineless jellyfish who go along to get along, hoping
that this path will keep them in the good graces of the Dept. of Commerce.
Many fall somewhere in between.
I don't see Netscape playing the martyr or using PGP/C2's legal guerilla
tactics to enbable strong crypto systems and applications, it's just not their
style. They do seem to be, however, keenly aware of the PR associated with
championing reliable transaction privacy and the adverse PR from being hacked
(especially from weak crypto). Keeping their products hackable, perhaps even
anonymously supporting those doing the hacking, while staying within the letter
of the law and publicly and privately pressuring for true crypto reform might
be their best course.
For many, including myself, guerilla tactics are more attractive due to
economic factors. Also, I have less to lose.
--Steve
PGP mail preferred, see http://www.pgp.com and
http://web.mit.edu/network/pgp.html
RSA fingerprint: FE90 1A95 9DEA 8D61 812E CCA9 A44A FBA9
RSA key: http://keys.pgp.com:11371/pks/lookup?op=index&search=0x55C78B0D
---------------------------------------------------------------------
Steve Schear | tel: (702) 658-2654
CEO | fax: (702) 658-2673
First ECache Corporation |
7075 West Gowan Road |
Suite 2148 |
Las Vegas, NV 89129 | Internet: schear(_at_)lvdi(_dot_)net
---------------------------------------------------------------------
I know not what course others may take; but as for me,
give me ECache or give me debt!
"It's your Cache?"