[sword-devel] Encryption/decryption (was: WOW)
Thu, 25 Nov 1999 09:19:15 +0000
Michael Paul Johnson wrote:
> > > o the RPM and WIN32 binaries include only _decipher_ support of
> > > sapphire builtin, thus making them legally exportable
> >This is a good point. Correspondingly, it should not be illegal to export the
> >source code for decryption software. This would probably get around most of
> >the concerns i raised in my first email about our use of Sapphire. MPJ, what
> >is your opinion on this? Is my understanding about encryption vs. decryption
> >correct? If so, would it be possible for you to package up a decrypt-only
> >version of Sapphire that would be legal for export?
> The Sapphire II Stream Cipher is inherently bidirectional (encrypts and
> decrypts with equal ease) in source code. Only by compiling it into object
> code in an application (or an object module) that was incapable as it
> stands of encryption is it freely exportable (unless you use the printed
> book/1st Amendment loophole). Anybody with the source code to Sapphire can
> do this. Another approach is to go ahead and distribute source code from
> outside of North America, taking care not to re-export it from any U. S.
> sites. Since the U. S. Government dropped its investigation of Phil
> Zimmermann (author of PGP) for lack of evidence of a crime committed, and
> my reading of the U. S. law agrees, it must be safe for someone else to
> post Sapphire code in Germany, as long as whoever does so doesn't get it
> from the USA or Canada, and I have nothing to do with it. Since I have
> dedicated that algorithm and its sample implementation to the Public
> Domain, I couldn't sue anyone who did so for copyright violation even if I
> wanted to (and I don't).
> The bottom line is that we can freely distribute binaries that have
> decryption capability, even from the USA. Any encryption source code that
> is any good can be posted in the USA on an export-controlled site (like my
> http://cryptography.org) or mailed out in printed format. If you happen to
> find a copy of encryption source code that fills your needs in Estonia or
> some other country, you can use it without breaking the law yourself unless
> (1) there are patent or copyright issues (there aren't with Sapphire), (2)
> your own country prohibits importing crypto code (France used to, but
> doesn't, now), or (3) the other country also has cryptographic software
> restrictions that apply (most don't).
> The USA export rules are funny, and not very logical, but we can and should
> try to work within them.
Oh, well. It was worth a thought.
If i cared enough about the commercial texts and their distribution, i'd offer to
scan the source code myself. Matter of fact, if the sources are only small, i
could probably do it in background anyway.
Let me know if you're interested, and you can send me a (high-quality) printout,
and i'll get my wife to scan it in her spare time and i'll proofread. Can't offer
fast turnaround, though, but at least we would have a version untainted by the
illegal export deal (which i still think could turn out to be an issue, even if
not in the U.S.).
"He must become greater; i must become less." - John 3:30