From owner-freebsd-ports  Mon Nov  1 19:59:36 1999
Delivered-To: freebsd-ports@freebsd.org
Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5AEAE14BC7; Mon,  1 Nov 1999 19:59:28 -0800 (PST)
	(envelope-from mda@discerning.com)
Received: from MDAXKE (cm-24-142-61-115.cableco-op.ispchannel.com [24.142.61.115])
	by proxy4.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id TAA20353;
	Mon, 1 Nov 1999 19:58:19 -0800 (PST)
Date: Mon, 01 Nov 1999 19:58:24 -0800
From: "Mark D. Anderson" <mda@discerning.com>
To: security@FreeBSD.ORG, ports@FreeBSD.ORG
Subject: Re: OpenSSH patches
Message-ID: <888466581.941486304@MDAXKE>
In-Reply-To: <Pine.BSF.4.10.9911011804230.78061-100000@hub.freebsd.org>
X-Mailer: Mulberry (Win32) [2.0.0a6, s/n U-301276]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>>   It does not seem that OpenSSH source code includes any kind of
>> crypto argorythm (they are included in OpenSSL library), but is it
>> still affected by US crypto restrictions?
> 
> There is some confusion (at least to me) about whether software which
> provides a cryptographic function (like SSH) but which links to an
> external library to provide the actual cryptographic code is liable under
> the export restrictions.

I am not a lawyer, and all that, but i believe that this is still
against U.S. officially. It is usually referred to as "crypto with a hole",
and it is still illegal last i checked. Not only can't you ship crypto,
you can't ship software capable of using crypto, or something like that.
You *can* have APIs that are not crypto-specific (such as a generic transport
which can transparently have encryption), but you can't use the simple
mechanism described by openssh. Microsoft and HP have permission to ship their
stuff, but the hole can't be plugged by a user (officially) until
microsoft clears it.

See this for more:
http://www.zdnet.com/zdnn/content/pcwk/1522/320100.html
http://www.mozilla.org/crypto-faq.html#1-4

Of course, none of this is enforceable, but we all know that.

Perhaps someone at mozilla, if there are any left, would know the latest.

-mda




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message