[7677] in cryptography@c2.net mail archive
Re: Using signature-only certs to authenticate key exchanges
daemon@ATHENA.MIT.EDU (Bill Stewart)
Thu Aug 17 11:09:47 2000
Message-Id: <3.0.5.32.20000816190538.009bcdc0@idiom.com>
Date: Wed, 16 Aug 2000 19:05:38 -0700
To: "Enzo Michelangeli" <em@who.net>,
"Cryptography@C2. Net" <cryptography@c2.net>
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <005001c007db$5421afe0$30cf54ca@emnb>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
At 07:39 AM 8/17/00 +0800, Enzo Michelangeli wrote:
>My question was about the legal meaning, or, better, prevalent legal
>interpretation, of "signature-only key". ...
>This is not a purely academic issue. For example, in Hong Kong the import of
>cryptographic devices is exempted from import licensing (not a big hurdle,
>but an annoying bureaucratic procedure nevertheless) if they are "only used
>for authentication or digital signature":
Ah. The certificate structure - keys, software, smartcards, data, etc.
can all work fine as signature-only, so it sounds like it'll pass your
import license issues. On the other hand, the Diffie-Hellman key exchange
itself,
and the symmetric-key application that uses the key generated by DH,
aren't signature-only systems - they're clearly for doing encryption.
So you'll need to keep track of which pieces are integrated and which
are separate.
Do your import restrictions apply to intangibles like downloading software
in the net? Some places only restrict import/export of physical objects.
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
