Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 01 Nov 1999 19:58:24 -0800
From:      "Mark D. Anderson" <mda@discerning.com>
To:        security@FreeBSD.ORG, ports@FreeBSD.ORG
Subject:   Re: OpenSSH patches
Message-ID:  <888466581.941486304@MDAXKE>
In-Reply-To: <Pine.BSF.4.10.9911011804230.78061-100000@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
>>   It does not seem that OpenSSH source code includes any kind of
>> crypto argorythm (they are included in OpenSSL library), but is it
>> still affected by US crypto restrictions?
> 
> There is some confusion (at least to me) about whether software which
> provides a cryptographic function (like SSH) but which links to an
> external library to provide the actual cryptographic code is liable under
> the export restrictions.

I am not a lawyer, and all that, but i believe that this is still
against U.S. officially. It is usually referred to as "crypto with a hole",
and it is still illegal last i checked. Not only can't you ship crypto,
you can't ship software capable of using crypto, or something like that.
You *can* have APIs that are not crypto-specific (such as a generic transport
which can transparently have encryption), but you can't use the simple
mechanism described by openssh. Microsoft and HP have permission to ship their
stuff, but the hole can't be plugged by a user (officially) until
microsoft clears it.

See this for more:
http://www.zdnet.com/zdnn/content/pcwk/1522/320100.html
http://www.mozilla.org/crypto-faq.html#1-4

Of course, none of this is enforceable, but we all know that.

Perhaps someone at mozilla, if there are any left, would know the latest.

-mda




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?888466581.941486304>