[sword-devel] Encryption/decryption (was: WOW)

Paul Gear sword-devel@crosswire.org
Thu, 25 Nov 1999 09:19:15 +0000

Michael Paul Johnson wrote:

> ...
> > >   o     the RPM and WIN32 binaries include only _decipher_ support of
> > >         sapphire builtin, thus making them legally exportable
> >
> >This is a good point.  Correspondingly, it should not be illegal to export the
> >source code for decryption software.  This would probably get around most of
> >the concerns i raised in my first email about our use of Sapphire.  MPJ, what
> >is your opinion on this?  Is my understanding about encryption vs. decryption
> >correct?  If so, would it be possible for you to package up a decrypt-only
> >version of Sapphire that would be legal for export?
> The Sapphire II Stream Cipher is inherently bidirectional (encrypts and
> decrypts with equal ease) in source code. Only by compiling it into object
> code in an application (or an object module) that was incapable as it
> stands of encryption is it freely exportable (unless you use the printed
> book/1st Amendment loophole). Anybody with the source code to Sapphire can
> do this. Another approach is to go ahead and distribute source code from
> outside of North America, taking care not to re-export it from any U. S.
> sites. Since the U. S. Government dropped its investigation of Phil
> Zimmermann (author of PGP) for lack of evidence of a crime committed, and
> my reading of the U. S. law agrees, it must be safe for someone else to
> post Sapphire code in Germany, as long as whoever does so doesn't get it
> from the USA or Canada, and I have nothing to do with it. Since I have
> dedicated that algorithm and its sample implementation to the Public
> Domain, I couldn't sue anyone who did so for copyright violation even if I
> wanted to (and I don't).
> The bottom line is that we can freely distribute binaries that have
> decryption capability, even from the USA. Any encryption source code that
> is any good can be posted in the USA on an export-controlled site (like my
> http://cryptography.org) or mailed out in printed format. If you happen to
> find a copy of encryption source code that fills your needs in Estonia or
> some other country, you can use it without breaking the law yourself unless
> (1) there are patent or copyright issues (there aren't with Sapphire), (2)
> your own country prohibits importing crypto code (France used to, but
> doesn't, now), or (3) the other country also has cryptographic software
> restrictions that apply (most don't).
> The USA export rules are funny, and not very logical, but we can and should
> try to work within them.

Oh, well.  It was worth a thought.

If i cared enough about the commercial texts and their distribution, i'd offer to
scan the source code myself.  Matter of fact, if the sources are only small, i
could probably do it in background anyway.

Let me know if you're interested, and you can send me a (high-quality) printout,
and i'll get my wife to scan it in her spare time and i'll proofread.  Can't offer
fast turnaround, though, but at least we would have a version untainted by the
illegal export deal (which i still think could turn out to be an issue, even if
not in the U.S.).

"He must become greater; i must become less." - John 3:30