[sword-devel] Encryption/decryption (was: WOW)

Michael Paul Johnson sword-devel@crosswire.org
Tue, 23 Nov 1999 16:59:23 -0700

> >   o     the RPM and WIN32 binaries include only _decipher_ support of
> >         sapphire builtin, thus making them legally exportable
>This is a good point.  Correspondingly, it should not be illegal to export the
>source code for decryption software.  This would probably get around most of
>the concerns i raised in my first email about our use of Sapphire.  MPJ, what
>is your opinion on this?  Is my understanding about encryption vs. decryption
>correct?  If so, would it be possible for you to package up a decrypt-only
>version of Sapphire that would be legal for export?

The Sapphire II Stream Cipher is inherently bidirectional (encrypts and 
decrypts with equal ease) in source code. Only by compiling it into object 
code in an application (or an object module) that was incapable as it 
stands of encryption is it freely exportable (unless you use the printed 
book/1st Amendment loophole). Anybody with the source code to Sapphire can 
do this. Another approach is to go ahead and distribute source code from 
outside of North America, taking care not to re-export it from any U. S. 
sites. Since the U. S. Government dropped its investigation of Phil 
Zimmermann (author of PGP) for lack of evidence of a crime committed, and 
my reading of the U. S. law agrees, it must be safe for someone else to 
post Sapphire code in Germany, as long as whoever does so doesn't get it 
from the USA or Canada, and I have nothing to do with it. Since I have 
dedicated that algorithm and its sample implementation to the Public 
Domain, I couldn't sue anyone who did so for copyright violation even if I 
wanted to (and I don't).

The bottom line is that we can freely distribute binaries that have 
decryption capability, even from the USA. Any encryption source code that 
is any good can be posted in the USA on an export-controlled site (like my 
http://cryptography.org) or mailed out in printed format. If you happen to 
find a copy of encryption source code that fills your needs in Estonia or 
some other country, you can use it without breaking the law yourself unless 
(1) there are patent or copyright issues (there aren't with Sapphire), (2) 
your own country prohibits importing crypto code (France used to, but 
doesn't, now), or (3) the other country also has cryptographic software 
restrictions that apply (most don't).

The USA export rules are funny, and not very logical, but we can and should 
try to work within them.


Michael Paul Johnson