[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: [Fwd: Session key size in Simplified Messaging]
From:       Eric Klein <erick () SOFTSHARE ! COM>
Date:       1997-10-28 3:47:27
[Download RAW message or body]


Ahh.

I was wondering if that might not be the case after all. I had
attended a conference several years ago where export
control laws were discussed, and it was said in no uncertain
terms that any coded communications outside of the US
was a violation of US export law. However, in light of the fact that it
is legal to send 40-bit (obviously since the software is exportable),
out of the US, I wondered if my information might be outdated, or
simply incorrect.

Do you know of anywhere that I could look to find more info on
crypto export law outside of the software shipping end of things?

Thank you very much.

Eric Klein
Softshare
erick@softshare.com


> -----Original Message-----
> From: Timothy Fisher [SMTP:timothyf@earthlink.net]
> Sent: Monday, October 27, 1997 7:42 PM
> To:   Eric Klein
> Subject:      [Fwd: Session key size in Simplified Messaging]
>
> Eric,
>
> Regarding your post to Capi mailing list.  I just wanted to point out
> that even if your customers were sending 128 bit encrypted mail
> outside
> of the country, they would not be violating the ITAR regulations.
>
> The ITAR regulations prevent you from exporting software that contains
> the capability to use a 128-bit algorithm, but it does not prevent any
> data from being transmitted out of the country.  It is perfectly legal
> to transmit any type of data out of the country no matter how strongly
> it has been encrypted.
>
> Timothy Fisher
> Cyclone Software
>
> Eric Klein wrote:
>
> > Hello again,
> >
> > I know I have asked this question in the past, but there has
> > never really been an answer, and I am at a point where I really
> > need to know.
> >
> > Is there any way to create a message using the simplified
> > messaging functions, and the Enhanced provider that is
> > encrypted with RC2 128-bit?
> >
> > What happens: I call CryptEncryptMessage, and the
> > CRYPT_ENCRYPT_PARA is set to use the enhanced
> > provider, and szOID_RSA_RC2CBC. It will always encrypt
> > with RC2 40-bit (not 128-bit as the docs says that the
> > enhanced provider must).
> >
> > I would very much like to offer our users the choice of
> > algorithms based on the CSP, and what they report from the
> > call CryptGetProvParam with PP_ENUMALGS, however
> > since the Enhanced CSP reports 128-bit RC2, but actually
> > uses 40-bit, I have no reliable way of knowing what a given
> > CSP will use in the simplified messaging functions
> > (since the Enhanced provider does not report properly).
> >
> > In addition, this causes a possible problem with the law.
> > Since (for the time being), the Enhanced CSP uses 40-bit, we
> > rely on that, but if we offer it to our users and in the future it
> > changes to 128-bit, and they send mail outside the US
> > thinking that it is 40-bit  (even though it is actually 128-bit)
> > they will be violating ITAR regulations.
> >
> > I would greatly appreciate enlightenment on this issue.
> > (Especially I would like to find out if and when this bug in
> > the Enhanced CSP will be addressed).
> >
> > Eric Klein
> > Softshare
> > erick@softshare.com
> >
> > ----------------------------------------------------------------
> > Users Guide
> http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
> > contains important info including how to unsubscribe.  Save time,
> > search
> > the archives at http://microsoft.ease.lsoft.com/archives/index.html
>
>  << Message: Session key size in Simplified Messaging >>

----------------------------------------------------------------
Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://microsoft.ease.lsoft.com/archives/index.html

[prev in list] [next in list] [prev in thread] [next in thread]