From owner-freebsd-security  Wed Jul 26 03:43:00 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.11/8.6.6) id DAA14786
          for security-outgoing; Wed, 26 Jul 1995 03:43:00 -0700
Received: from tale.frihet.com (ns.frihet.com [165.227.57.1])
          by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id DAA14778
          ; Wed, 26 Jul 1995 03:42:50 -0700
Received: from localhost.frihet.com (tweten@localhost.frihet.com [127.0.0.1]) by tale.frihet.com (8.6.10/8.6.6) with SMTP id DAA08423; Wed, 26 Jul 1995 03:41:19 -0700
Message-Id: <199507261041.DAA08423@tale.frihet.com>
X-Authentication-Warning: tale.frihet.com: Host localhost.frihet.com didn't use HELO protocol
X-Mailer: exmh version 1.5.3 12/28/94
Reply-To: "David E. Tweten" <tweten@frihet.com>
To: "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com>
cc: mark@grondar.za, pst@stupi.se, rgrimes@FreeBSD.ORG, security@FreeBSD.ORG,
        freebsd-foreign-secure@grondar.za
Subject: Re: secure/ changes... 
Mime-Version: 1.0
Content-Type: application/pgp ; format=text ; x-action=signclear
Date: Wed, 26 Jul 1995 03:41:18 -0700
From: "David E. Tweten" <tweten@tale.frihet.com>
Sender: security-owner@FreeBSD.ORG
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

Rodney W. Grimes wrote:
> PGP is a one way hash function, it is not encryption software, thus it
> does not fall on the munitions lists, thus it is not restricted.

Bzzzt!  Wrong!  PGP uses the RSA public key algorythm, the IDEA private key 
algorythm and the MD5 secure hash algorythm to provide a reasonably efficient 
implementation of public key cryptography and digital signature.  As such, it 
does come under munitions restrictions.  If you don't believe me, ask the 
Federal Prosecutor in San Jose, California, and Phil Zimmermann's lawyer.  
PGP's author, Zimmermann, is currently under investigation for violation of 
exactly the munitions regulations you mentioned, by virtue of the fact that an 
early version of PGP escaped the U.S. via anonymous FTP.  That's *exportation*.

> DES is encryption software, it is on the munitions lists, munitions export
> AND import is regulated by the US federal government, both the State
> Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have
> regulations controlling imports to the US of any and all ``munitions''.

As it turns out, the IDEA algorythm (invented in Europe, and imported into the 
U.S. with no restrictions, except as relates to subsequent re-exportation) is 
a direct, and apparently superior, competitor to DES.  Instead of a 56-bit 
key, IDEA uses a 128-bit key.  Unlike DES, IDEA is reputed to be impervious to 
any attack short of guessing its key.  And IDEA is an integral part of PGP.

> Various import and export paper work from UPS, Federal Express, and DLH
> all state that ``firearms'' and or ``munitions'' are regulated for import
> and export and require special paper work.

Munitions imports may well be regulated (through Commerce, if my memory 
serves), but those regulations are so light as not to be noticible for 
cryptographic software.

> I do not have a direct reference to the State Department munitions list,
> or the applicable ATF regulations, but I do assure you they exists, and
> they are inforced (reference, Austin Code Works was indited in 1994 by
> the US State Department for shipping DES software out of the US on CDROM).

As you point out, exportation of crypto, even the relatively innocuous and 
widely published DES, is strictly (and irrationally) regulated.  You are still 
the only person who I have ever seen maintain that crypto *importation* is 
restricted in the U.S.  That is in contrast to a flood of evidence I've seen 
to suggest the opposite.

Care to reconsider?
- --
David E. Tweten           |  PGP Key fingerprint =        |  tweten@frihet.com
12141 Atrium Drive        |     E9 59 E7 5C 6B 88 B8 90   |     tweten@and.com
Saratoga, CA 95070-3162   |     65 30 2A A4 A0 BC 49 AE   |     (408) 446-4131
      The only flags worth saluting are those you are permitted to burn.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMBYbwMfwvsV7F2dJAQF63gf+KRMm4vZhxRvQMjROIkppXhRGnZpIqNsZ
uHp6RjeVUzbN5/LxeIQQGoz3hk3x5zAnn30QOJWlXy9AeJ+T88S9hPYtnhmvClge
SBoeid+aNicjTdW19bMlWg+0jcdm496mgQgh8ERWHwbCyxYehWPA2ehqn7gQroDO
mql9qxQH4dI7GHady+6smceKB1finrteV6TizNwFM9IUTF/jb21ckoYc6bRXdztz
T8DpIMSa0FMoZCpN8JUhuGEgSdL1sEzqtnUx7UYYgrEhQMsphw+IF/kUIvAMnPrS
W8zk+5/MUaTx/eCyYfO3VO+2Iqgo1ucwTZCqXJkOv3OUk7lWlEyGkQ==
=uUVJ
-----END PGP SIGNATURE-----