Date: Mon, 1 Nov 1999 22:25:47 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Kris Kennaway <kris@hub.freebsd.org> Cc: Issei Suzuki <issei@issei.org>, security@freebsd.org, ports@freebsd.org Subject: Re: OpenSSH patches Message-ID: <Pine.BSF.3.96.991101222055.22845A-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.10.9911011804230.78061-100000@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 Nov 1999, Kris Kennaway wrote: > There is some confusion (at least to me) about whether software which > provides a cryptographic function (like SSH) but which links to an > external library to provide the actual cryptographic code is liable under > the export restrictions. > > Otherwise, everyone in the US could just write their cryptographic code to > a certain API and have it fulfilled by an internationally-developed crypto > library, thereby defeating the intent of the restrictions. I'd very much > like this to be true, but I didn't want to risk it being false, seeing as > how I'm a guest in ths country and as such very much subject to the whims > of the INS :-) Yah, me too. My solution was to do the code as employed by some existing US citizens and let them deal with the legal consequences. :-) Of course, I'm due for US citizenship any day now.. Pity about all those "or we'll revoke it" clauses in the application and elsewhere. My recollection is that in general shipping things with APIs strictly used for encryption is still a no-no. The usual work-around is to define a general-purpose data transform API. In Coda, we discussed doing this and providing two modules -- an XOR crypto module, and a compression module, just to show the generalness of the whole thing. Both crypto and compression retain state over the course of the sessions, participate in a chat protocol to get going at the beginning, ... The other one that often works is that code for authentication is fine--i.e., MD5 hashes and MAC code. That also requires keying material, et al. What is the export deal on ebones/Kerberos? Ebones is exportable, but I don't remember a) whether it had to be reviewed/approved, and b) whether or not it actually had direct crypto hooks. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991101222055.22845A-100000>