From owner-freebsd-security Tue Jul 25 20:21:17 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id UAA01252 for security-outgoing; Tue, 25 Jul 1995 20:21:17 -0700 Received: from kithrup.com (kithrup.com [140.174.23.40]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id UAA01245 for ; Tue, 25 Jul 1995 20:21:15 -0700 Received: (from sef@localhost) by kithrup.com (8.6.8/8.6.6) id UAA20861; Tue, 25 Jul 1995 20:18:06 -0700 Date: Tue, 25 Jul 1995 20:18:06 -0700 From: Sean Eric Fagan Message-Id: <199507260318.UAA20861@kithrup.com> To: rgrimes@gndrsh.aac.dev.com Subject: Re: secure/ changes... Newsgroups: kithrup.freebsd.security In-Reply-To: <199507260200.TAA23061.kithrup.freebsd.security@gndrsh.aac.dev.com> References: <199507251051.DAA03749@tale.frihet.com> from "David E. Tweten" at Jul 25, 95 03:51:52 am Organization: Kithrup Enterprises, Ltd. Cc: security@freebsd.org, mark@grondar.za, pst@stupi.se Sender: security-owner@freebsd.org Precedence: bulk In article <199507260200.TAA23061.kithrup.freebsd.security@gndrsh.aac.dev.com> you write: You're a bright guy, Rod, and it's hard for me to say this, but: almost everything in your message was WRONG. >PGP is a one way hash function, it is not encryption software, thus it >does not fall on the munitions lists, thus it is not restricted. PGP is encryption software. It uses RSA. It is a munition. This is why Zimmerman is currently facing a possible Grand Jury indictment, for ITAR violations -- exporting munitions. Perhaps you're thinking of MD5, which is a checksum function, and cannot be used to `decrypt.' (PGP does use MD5, admittedly.) >DES is encryption software, it is on the munitions lists, munitions export >AND import is regulated by the US federal government, both the State >Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have >regulations controlling imports to the US of any and all ``munitions''. The first line is correct. The first part of the second line is incorrect. You can import as much encryption software as you want, *PROVIDED* it wasn't illegal exported. (I don't understand why that is the case.) I verified this today with someone who makes his living working on encryption software, and I promise you: he's dealt with all of the regulations and paperwork before, and has even *gotten* the correct paperwork to export certain items. >Various import and export paper work from UPS, Federal Express, and DLH >all state that ``firearms'' and or ``munitions'' are regulated for import >and export and require special paper work. Generally this reads: >``We accept shipments of firearms when either the shipper or recipient >is a lincensed manufacturer, licensed importer, licensed dealer or licensed >collector who is not prohibited from such shipments by federal, state or >local regulations.'' UPS, Federal Express, and DLH are not the federal government. In addition, "firearms" are a subset of "munitions," and what all the couriers (and the post office) mean by "munitions" are the hardware kind, not software of any sort. >I do not have a direct reference to the State Department munitions list, >or the applicable ATF regulations, but I do assure you they exists, and >they are inforced (reference, Austin Code Works was indited in 1994 by >the US State Department for shipping DES software out of the US on CDROM). I don't think anyone has denied that it is illegal to export DES source code. (It is legal to export binary software that uses DES in certain circumstances.) It is not illegal to import DES. Or PGP. Or any other software that does encryption (given the caveat above). It is not illegal or forbidden to ship encryption software domesticly, via the US Postal Service, or any of the couriers. If I understand things correctly, Canada and Mexico may also be allowed, but I'm not sure. I verified all of this today with someone who's had to deal with the regulations. Have you? Sean.