From owner-freebsd-security Wed Jul 26 05:05:50 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id FAA17499 for security-outgoing; Wed, 26 Jul 1995 05:05:50 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id FAA17492 ; Wed, 26 Jul 1995 05:05:43 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id FAA25100; Wed, 26 Jul 1995 05:04:43 -0700 From: "Rodney W. Grimes" Message-Id: <199507261204.FAA25100@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: tweten@frihet.com Date: Wed, 26 Jul 1995 05:04:42 -0700 (PDT) Cc: mark@grondar.za, pst@stupi.se, rgrimes@FreeBSD.ORG, security@FreeBSD.ORG, freebsd-foreign-secure@grondar.za In-Reply-To: <199507261041.DAA08423@tale.frihet.com> from "David E. Tweten" at Jul 26, 95 03:41:18 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 5091 Sender: security-owner@FreeBSD.ORG Precedence: bulk > > -----BEGIN PGP SIGNED MESSAGE----- > > Rodney W. Grimes wrote: > > PGP is a one way hash function, it is not encryption software, thus it > > does not fall on the munitions lists, thus it is not restricted. > > Bzzzt! Wrong! PGP uses the RSA public key algorythm, the IDEA private key > algorythm and the MD5 secure hash algorythm to provide a reasonably efficient > implementation of public key cryptography and digital signature. As such, it > does come under munitions restrictions. If you don't believe me, ask the > Federal Prosecutor in San Jose, California, and Phil Zimmermann's lawyer. > PGP's author, Zimmermann, is currently under investigation for violation of > exactly the munitions regulations you mentioned, by virtue of the fact that > an > early version of PGP escaped the U.S. via anonymous FTP. > That's *exportation*. > I have already replied that I had crossed my wires between PGP and MD5. I am not an export on what all this different software is, does, or how it works, but I do know a fair bit of ``law'' and play the import export business week to week. We are all in agreement that A) DES and cryptography software is on the munitions lists, B) that _export_ of munitions is restricted by at least 1 US Federal law and C) all imports and exports must pass through customs, and thus are at least ``regulated'' [I think we all agree this last one is true, note the world ``regulated'' vs ``restricted'', very important.] > > DES is encryption software, it is on the munitions lists, munitions export > > AND import is regulated by the US federal government, both the State > > Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have > > regulations controlling imports to the US of any and all ``munitions''. > > As it turns out, the IDEA algorythm (invented in Europe, and imported into > the > U.S. with no restrictions, except as relates to subsequent re-exportation) is > a direct, and apparently superior, competitor to DES. Instead of a 56-bit > key, IDEA uses a 128-bit key. Unlike DES, IDEA is reputed to be impervious > to > any attack short of guessing its key. And IDEA is an integral part of PGP. The quality of algorithms is not a factor to this discussion :-). I could write a crypto package that a 10 year old could crack, it could very well fall under the same ``restrictions'' as DES. There is no statement of algorithm strength in the law :-(. > > Various import and export paper work from UPS, Federal Express, and DLH > > all state that ``firearms'' and or ``munitions'' are regulated for import > > and export and require special paper work. > > Munitions imports may well be regulated (through Commerce, if my memory > serves), but those regulations are so light as not to be noticible for > cryptographic software. Yes, all importing is regulated by at least Commerce, and then depending on just what it is there are a whole other pile of things that can regulate it. Textiles import, belive it or not, can be a royal mess to deal with. As can petroleum products, or any thing subject to import taxation. Importing firearms is very well regulated, you just try to get a shipment pass US import customs with ``munitions'' on the commercial invoice without all the proper paper work. They may very overlook DES labeled as floppy disks, or software, but label as munitions is going to raise a big red flag. > > I do not have a direct reference to the State Department munitions list, > > or the applicable ATF regulations, but I do assure you they exists, and > > they are inforced (reference, Austin Code Works was indited in 1994 by > > the US State Department for shipping DES software out of the US on CDROM). > > As you point out, exportation of crypto, even the relatively innocuous and > widely published DES, is strictly (and irrationally) regulated. You are > still > the only person who I have ever seen maintain that crypto *importation* is > restricted in the U.S. That is in contrast to a flood of evidence I've seen > to suggest the opposite. But do you have _solid_ evidence, and have you dealt first hand with import and export paper work? Do you know what a Commercial Invoice is? Are you aware that any US import without either a SSN or EIN of the recipient on the import paper work will be held by customs until that information is provided (imports of $1250 that is)? Do you have any idea what a**es US customs can be on the tiniest detail? > > Care to reconsider? No, as no _solid_ evidence has been presented, this is all here say. Show me a Commercial Invoice for a US import shipment that clearly marks it as containing munitions in the form of DES and I'll buy it. Or show me that DES is _not_ restricted for import in a US commerce, AFT, or State department import documentation, then I will reconsider my point of view. Or show me an import ``expert'' who agrees with your conclusions. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD