From owner-freebsd-security  Thu Jul 27 05:03:32 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.11/8.6.6) id FAA19450
          for security-outgoing; Thu, 27 Jul 1995 05:03:32 -0700
Received: from tale.frihet.com (ns.frihet.com [165.227.57.1])
          by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id FAA19444
          for <security@freebsd.org>; Thu, 27 Jul 1995 05:03:27 -0700
Received: from localhost.frihet.com (tweten@localhost.frihet.com [127.0.0.1]) by tale.frihet.com (8.6.10/8.6.6) with SMTP id EAA12884; Thu, 27 Jul 1995 04:59:55 -0700
Message-Id: <199507271159.EAA12884@tale.frihet.com>
X-Authentication-Warning: tale.frihet.com: Host localhost.frihet.com didn't use HELO protocol
X-Mailer: exmh version 1.5.3 12/28/94
Reply-To: "David E. Tweten" <tweten@frihet.com>
To: "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com>
cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se
Subject: Re: secure/ changes... 
Mime-Version: 1.0
Content-Type: application/pgp ; format=text ; x-action=signclear
Date: Thu, 27 Jul 1995 04:59:55 -0700
From: "David E. Tweten" <tweten@tale.frihet.com>
Sender: security-owner@freebsd.org
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

Quoting me, Rodney W. Grimes writes:
> > Our beta sites (currently a dozen or so) have been importing the DES 
> > "munition" as our documentation suggests for over a year. Neither we nor they 
> > have experienced any problem,
> 
> And even that much of this paragraph is not here say.  I have driven at
> well in excess of 150MPH down a freeway in Oregon and was not stopped
> or fined for doing so in any way, on numerious occasions, does that mean it
> is ``legal''.  No, it simply means I did not get caught.

This is beginning to nibble at the edges of the real problem here, the 
difficulty of proving a negative.  To prove a specific act to be not "illegal" 
in the U.S., in any absolute sense, requires that somebody be prosecuted and 
convicted for it, and for that conviction to be overturned by the U.S. Supreme 
Court.  In all other circumstances, the act *might* be illegal.  After all, 
the law is what the Supreme Court says it is.

Under all other circumstances, one has to ballance the evidence, make a 
personal judgement and take his chances.  Your standard of ballance strikes me 
as so conservative as to lead to paralysis.  It is, of course, your right to 
inflict paralysis upon yourself.  It would be unfortunate if the FreeBSD 
project were to follow your example.

Instead, I'd recommend considering the weight of the evidence, making a 
judgement, and acting upon it.  The evidence, as I've witnessed it is:

1) In a huge flood of net messages (thousands), on lists that care a lot about 
the legal issues associated with crypto, no message has ever indicated that 
*importation* of crypto into the U.S. is restricted under U.S. law.

2) MIT's lawyers seem unconcerned that MIT PGP includes *imported* crypto in 
the form of the IDEA private key algorythm.  On the other hand, MIT is taking 
strong steps to secure its position against attack based upon patent and 
crypto *export* considerations.  That suggests to me that MIT's formidable 
troup of lawyers has reviewed all aspects of PGP distribution and believes 
that MIT's crypto *importation* is not a legal problem.

3) A single person on the net, Rodney W. Grimes, is sufficiently worried that 
*importation* of crypto might be illegal that he recommends against it.  He 
offers no evidence to justify his dissenting position, and instead demands 
evidence from the overwhelming majority that he is wrong.

I don't plan to waste any more time trying to provide him with the evidence.  
Instead, I intend to ignore his advice on this topic in the future.  I 
recommend that course of action to the FreeBSD project, as well.
- --
David E. Tweten           |  PGP Key fingerprint =        |  tweten@frihet.com
12141 Atrium Drive        |     E9 59 E7 5C 6B 88 B8 90   |     tweten@and.com
Saratoga, CA 95070-3162   |     65 30 2A A4 A0 BC 49 AE   |     (408) 446-4131
      The only flags worth saluting are those you are permitted to burn.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMBd/rcfwvsV7F2dJAQFqxAf/Q6NTI5ELO+q9PO81frD1Tj+Y/JZwoT2l
y5pDlV2cS8I5YR5l3KIy/R0Ct8N+Kny8SaDvFabV7WOpsqKTjlLjQGVT8eSM5i/U
oxL5s4o/iLY7fIP4vUB5KIIbfAIe6ELY73HpJtweocnGEJ0+kPmsjf5Ty3BI26c/
koH3uqTl9SXi1uWf5FmXnxWRgECj6YDO23QliiqdVqybSAHCIZ76M32qFTAp2keV
E/InEA+t7THo3K+0IS8JZFSVrZGTulj/mXHuO6dMYO+4ULaXsrnoO2ZA91fuMqiv
AKoFjtnxtkELB/m51/CPKN98CKRXgeiU/DxA46n0kgTRDgX3lJ7BOw==
=s3Ip
-----END PGP SIGNATURE-----