At 07:35 PM 12/01/1999 +0800, Enzo Michelangeli wrote:
>Speaking about which: isn't Certification Authority software subject to EAR
>export controls? I'm asking because Hongkong Post (the Hong Kong Post
>Office) has announced that they will start to offer CA services (being in
>fact the first legally recognized local CA), and will use a system provided
>by HP. HP swears that there are no backdoors or covert channels to leak bits
>of the CA's root key, and Hongkong Post believes them, but then I wonder how
>they got an export license.
Software that's authentication only isn't supposed to need
an export license - only software that provides data privacy does,
and CA products only need to do signatures, not privacy.
A CA product using DSA instead of RSA shouldn't have a problem;
a CA product using RSA would probably have to demonstrate that
it only does signatures and doesn't use the RSA for privacy protection,
and might be able to get away with using cryptographic protection
for its own certification secrets if it asks nicely.
If you're shipping the CA software as a binary, not source,
then the non-Yankee CA service provider can't use it to
also provide privacy (at least without reverse engineering,
which is much more work than just writing new stuff themselves
or downloading software from Finland or whatever.)
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
