From owner-freebsd-security Wed Jul 26 11:57:12 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id LAA11384 for security-outgoing; Wed, 26 Jul 1995 11:57:12 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id LAA11350 for ; Wed, 26 Jul 1995 11:57:05 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id LAA26575; Wed, 26 Jul 1995 11:56:02 -0700 From: "Rodney W. Grimes" Message-Id: <199507261856.LAA26575@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: sjb@austin.ibm.com (Scott Brickner) Date: Wed, 26 Jul 1995 11:56:02 -0700 (PDT) Cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se In-Reply-To: <9507261742.AA17868@ozymandias.austin.ibm.com> from "Scott Brickner" at Jul 26, 95 12:42:02 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 7381 Sender: security-owner@freebsd.org Precedence: bulk > > "Rodney W. Grimes" writes: > >> >Various import and export paper work from UPS, Federal Express, and DLH > >> >all state that ``firearms'' and or ``munitions'' are regulated for import > >> >and export and require special paper work. Generally this reads: > >> >``We accept shipments of firearms when either the shipper or recipient ... > > You aren't even reading *this* correctly. In the last part of the sentence, > the phrase "such shipments" obviously refers to "shipments of firearms". That may be obviouse to you, but that is again you interpretation. Mine differs, leave it at that. > There's absolutely nothing in the statement you've mentioned which references > munitions in general. You've clearly no idea what you're talking about. That tone won't go very far with convincing me or anyone else. Again, ``no idea what you're talking about'' is your opinion, is here say, and is, IMO, incorrect. But you are intitled to your opionion as am I. I don't give a darn if you end up in jail, I do have great concern if I do. > Point me to any single regulation which both applies to me as a U.S. citizen, > and which prohibits me from importing DES or RSA software from a country > where possession of such is legal. I already said I have no reason to go do this leg work, it is _not_ me who wants to import it. > I can clearly show you (with web pointers, as I did in an earlier message) > where *export* and *temporary* import are prohibited. The very same document > explicitly disavows its authority to prohibit *permanent* import. A document explicitly disavowing its authority does not mean there is not another asserting its. This is what makes law so d*mn hard to figure out what is and is not legal. It's is very easy to find things that say this or that is illegal, but it is much harder to search and assertain if some action is legal as you have to do it by 1 of two means, exhaustive search for anything that might make it illegal, or finding case citations with a ruling from at least 2 or 3 courts that clearly show the action was not legal. (1 case does not do it, that is not a ``precedent''.) > >> >I do not have a direct reference to the State Department munitions list, > >> >or the applicable ATF regulations, but I do assure you they exists, and > >> >they are inforced (reference, Austin Code Works was indited in 1994 by > >> >the US State Department for shipping DES software out of the US on CDROM). > > The munitions list is defined in the International Traffic in > Arms Regulations, > the full text of which may be found by retrieving: > . Okay, so you've ruled out one possible place for trouble. I will go read this to increase my understanding of the _export_ side. But this does nothing to convince me about import, since as you already said this document does not cover import. > >> It is not illegal to import DES. Or PGP. Or any other software that does > >> encryption (given the caveat above). > > > >I disagree. > > You're wrong. Your opionion, and it ain't worth squat as your not an authority I will respect on this issue. Look, we disagree on a point of law, I respect your opionion, you go import DES and PGP to your hearts end. It won't effect me one bit, but I will _not_ take a risk like that without better assesment of information from proper legal and/or government agencies. I believe strongly in my right to keep my ass out of jail, and your right to put it there if you want to play fast and loose. > It may be illegal to export DES or PGP from some specific > countries, but the question we're really discussing here is whether it's > appropriate to make the FreeBSD security release available on a server > in South Africa, which has no such export control. I maintain that in > eight months or so of closely following the issues related to cryptographic > prohibitions, I've never heard of any U.S. regulation which prohibits its > import. Because you don't desire to find one. Infact you _desire_ just the opposite, which is, IMHO, a really bad thing to desire when you are tring to assertain that your actions are legal. > >> It is not illegal or forbidden to ship encryption software domesticly, via > >> the US Postal Service, or any of the couriers. If I understand things > >> correctly, Canada and Mexico may also be allowed, but I'm not sure. > > > >I didn't even mention domestic, I was quoteing chapter and verse from the > >internation shippers guide of Fed Ex. My UPS internation guide has very > >similiar statements in it. Canada and Mexico still go through customs, > >so though it may be allowed, it will be regulated. > > The ITAR also does not cover shipments to Canada. > > >> I verified all of this today with someone who's had to deal with the > >> regulations. Have you? > > > >See above. And no, but I do deal with US customs paper work on a weekly > >basis, just ask a few of my international customers. And if you want to > >make a real point, go get the AFT and State department's import/export > >stuff, and talk with _THEM_ about imports. Not some one who has done > >DES exporting, I know that can be done, it just takes paper work (on a > >per copy basis, I know all about it, been there done that, is what > >_NO_ one has done is go try to find out exactly what paper work customs > >want to allow the stuff accross the boarder if you clearly point them > >at the fact this stuff _is_ on the munitions list). You might just be > >in for a very big suprize, or I might be all wet. But I am not willing > >to risk Grand Jury indictment on this here say information. > > The broad consensus here seems to be that import of cryptographic > equipment is not prohibited. By all means --- prove us wrong, if > you can. I have no reason to take any more efforts in proving you or myself wrong or right. A ``broad consensus'' is still here say, and I don't risk my future on here say. > In general, as I understand the process, to *export* cryptographic > equipment, one must first get a "Commodities Jurisdiction" ruling ... Export is not the issue here, we are are all well aware of what it takes to export DES. > Since permanent imports are not covered by DoJ's ITAR, you can > skip the CJ step for them. This means you only have to deal with > DoC, which doesn't prohibit crypto. The only question becomes > whether the material is *generally* importable. It wouldn't > surprise me if the DoC *generally* prohibits the import of goods > which are prohibited from export in the country of origin, but > restrictions beyond this would be curious. > > Now, to cover my own butt, I have to add that I'm not a lawyer, > nor do I play one on TV or the net. I *can* read, though, and > have read a lot on this subject: often by people who *do* play > lawyers on the net. Obtaining legal advice and taking action on such information, IMHO, in this manner is a very dangerous game to play. There are 10000 arm chair lawyers for every 1 real one. I am an arm chair lawyer, but I don't take legal actions based upon my arm chair interpretations, I pay for proper legal advice and/or consult the law books and or agencies myself. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD