Date: Wed, 26 Jul 1995 03:41:18 -0700 From: "David E. Tweten" <tweten@tale.frihet.com> To: "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com> Cc: mark@grondar.za, pst@stupi.se, rgrimes@FreeBSD.ORG, security@FreeBSD.ORG, freebsd-foreign-secure@grondar.za Subject: Re: secure/ changes... Message-ID: <199507261041.DAA08423@tale.frihet.com>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Rodney W. Grimes wrote:
> PGP is a one way hash function, it is not encryption software, thus it
> does not fall on the munitions lists, thus it is not restricted.
Bzzzt! Wrong! PGP uses the RSA public key algorythm, the IDEA private key
algorythm and the MD5 secure hash algorythm to provide a reasonably efficient
implementation of public key cryptography and digital signature. As such, it
does come under munitions restrictions. If you don't believe me, ask the
Federal Prosecutor in San Jose, California, and Phil Zimmermann's lawyer.
PGP's author, Zimmermann, is currently under investigation for violation of
exactly the munitions regulations you mentioned, by virtue of the fact that an
early version of PGP escaped the U.S. via anonymous FTP. That's *exportation*.
> DES is encryption software, it is on the munitions lists, munitions export
> AND import is regulated by the US federal government, both the State
> Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have
> regulations controlling imports to the US of any and all ``munitions''.
As it turns out, the IDEA algorythm (invented in Europe, and imported into the
U.S. with no restrictions, except as relates to subsequent re-exportation) is
a direct, and apparently superior, competitor to DES. Instead of a 56-bit
key, IDEA uses a 128-bit key. Unlike DES, IDEA is reputed to be impervious to
any attack short of guessing its key. And IDEA is an integral part of PGP.
> Various import and export paper work from UPS, Federal Express, and DLH
> all state that ``firearms'' and or ``munitions'' are regulated for import
> and export and require special paper work.
Munitions imports may well be regulated (through Commerce, if my memory
serves), but those regulations are so light as not to be noticible for
cryptographic software.
> I do not have a direct reference to the State Department munitions list,
> or the applicable ATF regulations, but I do assure you they exists, and
> they are inforced (reference, Austin Code Works was indited in 1994 by
> the US State Department for shipping DES software out of the US on CDROM).
As you point out, exportation of crypto, even the relatively innocuous and
widely published DES, is strictly (and irrationally) regulated. You are still
the only person who I have ever seen maintain that crypto *importation* is
restricted in the U.S. That is in contrast to a flood of evidence I've seen
to suggest the opposite.
Care to reconsider?
- --
David E. Tweten | PGP Key fingerprint = | tweten@frihet.com
12141 Atrium Drive | E9 59 E7 5C 6B 88 B8 90 | tweten@and.com
Saratoga, CA 95070-3162 | 65 30 2A A4 A0 BC 49 AE | (408) 446-4131
The only flags worth saluting are those you are permitted to burn.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBMBYbwMfwvsV7F2dJAQF63gf+KRMm4vZhxRvQMjROIkppXhRGnZpIqNsZ
uHp6RjeVUzbN5/LxeIQQGoz3hk3x5zAnn30QOJWlXy9AeJ+T88S9hPYtnhmvClge
SBoeid+aNicjTdW19bMlWg+0jcdm496mgQgh8ERWHwbCyxYehWPA2ehqn7gQroDO
mql9qxQH4dI7GHady+6smceKB1finrteV6TizNwFM9IUTF/jb21ckoYc6bRXdztz
T8DpIMSa0FMoZCpN8JUhuGEgSdL1sEzqtnUx7UYYgrEhQMsphw+IF/kUIvAMnPrS
W8zk+5/MUaTx/eCyYfO3VO+2Iqgo1ucwTZCqXJkOv3OUk7lWlEyGkQ==
=uUVJ
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199507261041.DAA08423>