Date: Thu, 14 Aug 1997 11:19:46 -0700
From: "J. Kelly Johnson" <kellyj@ricochet.net>
To: Java Security Team <java-security@web2.javasoft.com>
Subject: Bundling some JCE classes in an exported application.
Marianne:
You mentioned in a previous response:
> Encryption/decryption is
> controlled by the US govt, meaning that we can't export encryption
> APIs. Companies can export products that have encyption bundled
> into them as part of the product, as long as the crypto APIs aren't
> exposed, and the bundled crypto is the so-called "weak" crypto.
Does this imply that one could "bundle" some JCE classes in an
exported java application which uses those classes (only using short
keys -
and possibly with modified JCE classes to prevent longer keys)
w/o violating the rules as long as the application does not "expose" the
JCE APIs to the end user? Or is it the nature of java applications
that the APIs associated with all classes contained therein are
considered "exposed", and only compiled traditional language
programs (like Netscape) using compiled encryption libraries (SSL) can
do
this? If so, this seems to relegate Java applications to an inferior
position as compared with traditional compiled applications.
It is crucial to our project that we at least have weak crypto
capability to protect the communications between the client part of
our distributed Java application running on a foreign system and
its associated server-side remote objects running on our (US) system.
Is
there any other way to accomplish this without being forced to run
as an applet via an SSL enabled browser using inefficient http/cgi
communications?
Your thoughts are much appreciated!
J. Kelly Johnson
AppletVisions Inc.