[sword-devel] Encryption/decryption (was: WOW)
Michael Paul Johnson
Tue, 23 Nov 1999 16:59:23 -0700
> > o the RPM and WIN32 binaries include only _decipher_ support of
> > sapphire builtin, thus making them legally exportable
>This is a good point. Correspondingly, it should not be illegal to export the
>source code for decryption software. This would probably get around most of
>the concerns i raised in my first email about our use of Sapphire. MPJ, what
>is your opinion on this? Is my understanding about encryption vs. decryption
>correct? If so, would it be possible for you to package up a decrypt-only
>version of Sapphire that would be legal for export?
The Sapphire II Stream Cipher is inherently bidirectional (encrypts and
decrypts with equal ease) in source code. Only by compiling it into object
code in an application (or an object module) that was incapable as it
stands of encryption is it freely exportable (unless you use the printed
book/1st Amendment loophole). Anybody with the source code to Sapphire can
do this. Another approach is to go ahead and distribute source code from
outside of North America, taking care not to re-export it from any U. S.
sites. Since the U. S. Government dropped its investigation of Phil
Zimmermann (author of PGP) for lack of evidence of a crime committed, and
my reading of the U. S. law agrees, it must be safe for someone else to
post Sapphire code in Germany, as long as whoever does so doesn't get it
from the USA or Canada, and I have nothing to do with it. Since I have
dedicated that algorithm and its sample implementation to the Public
Domain, I couldn't sue anyone who did so for copyright violation even if I
wanted to (and I don't).
The bottom line is that we can freely distribute binaries that have
decryption capability, even from the USA. Any encryption source code that
is any good can be posted in the USA on an export-controlled site (like my
http://cryptography.org) or mailed out in printed format. If you happen to
find a copy of encryption source code that fills your needs in Estonia or
some other country, you can use it without breaking the law yourself unless
(1) there are patent or copyright issues (there aren't with Sapphire), (2)
your own country prohibits importing crypto code (France used to, but
doesn't, now), or (3) the other country also has cryptographic software
restrictions that apply (most don't).
The USA export rules are funny, and not very logical, but we can and should
try to work within them.
Michael Paul Johnson