From owner-freebsd-security Wed Nov 13 12:26:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA13091 for security-outgoing; Wed, 13 Nov 1996 12:26:20 -0800 (PST) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA13079 for ; Wed, 13 Nov 1996 12:26:16 -0800 (PST) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id PAA25119; Wed, 13 Nov 1996 15:24:22 -0500 From: Bill Paul Message-Id: <199611132024.PAA25119@skynet.ctr.columbia.edu> Subject: Re: Re[2]: Secure RPC revisited To: will.kempf@firstdatacorp.com (Will Kempf) Date: Wed, 13 Nov 1996 15:24:20 -0500 (EST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Will Kempf" at Nov 13, 96 09:33:00 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Of all the gin joints in all the towns in all the world, Will Kempf had to walk into mine and say: > Is it possible (probable) that since Linus is in Finland > (Denmark?) > that he's using one of the internationally-available > implementations > of DES? It's not a question of where Linus is or what he's using. Linus doesn't distribute Redhat Linux (though he may use it for all I know). In fact, Linus doesn't distribute the Linux libc implementation at all: from what I know, he just distributes the kernel. The point is that the Redhat people, who are based in the United States as far as I can tell, are shipping Redhat Linux CDs from the U.S. to places outside of the U.S. with DES encryption software on them. (I suppose they're also making it available via FTP too. There are lots of Redhat mirror sites around.) The law, dumb as it is, says that you can't do that. You can actually ship encryption code into the U.S. but once it's here, you can't ship it back out again. Silly? You bet. But the rule applies to code which uses more than 40 bits for its key, and DES uses 56-bit keys, so there you have it. This is why you have export and domestic versions of Netscape (*spit*) and why FreeBSD CDs don't come with the DES distribution included; you have to download it seperately from a nearby FTP site (meaning if you're outside the U.S., you need to get it from a non-U.S. FTP server). (As an aside, I wonder if it would be possible to put the DES distribution on a floppy and include it when Walnut Creek mails a FreeBSD CD to someone with a U.S. mailing address. But that's for Walnut Creek to decide.) It would seem that other Linux distributions that use the same libc are in the same boat: I believe Slackware has the same Secure RPC and DES code in it. If any of these Linux distributors have mailed CDs to overseas addresses with DES code on them, then technically they've broken the law and could go to jail and/or be fined a lot of money. My point is that it's just not fair that we should be going to all this trouble to abide by the law while the Linux distributors just thumb their noses at it. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." =============================================================================