From owner-freebsd-security Thu Jan 13 19:32: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 6B6D014DB7 for ; Thu, 13 Jan 2000 19:31:58 -0800 (PST) (envelope-from brett@lariat.org) Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id UAA17038 for ; Thu, 13 Jan 2000 20:31:52 -0700 (MST) Message-Id: <4.2.2.20000113202656.01d66100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 13 Jan 2000 20:31:45 -0700 To: security@freebsd.org From: Brett Glass Subject: Crypto regulations: Lucy pulls the football away? Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've been poring over the proposed new crypto regulations, and think I see= =20 a serious problem vis-a-vis open source. The provision that allows the=20 export of source code, quoted at=20 http://www.cdt.org/crypto/admin/000110cryptoregs.shtml, says: >Also in =A7740.13, to, in part, take into account the "open source"= approach=20 >to software development, UNRESTRICTED encryption source code not subject=20 >to an express agreement for the payment of a licensing fee or royalty for= =20 >commercial production or sale of any product developed using the source=20 >code can, without review, be released from "EI" controls and exported and= =20 >reexported under License Exception TSU. Note the use of the qualifier "unrestricted" in the paragraph above. So,=20 what's "unrestricted?" The text one paragraph above gives what appears to=20 be an answer: >In =A7740.13, Technology and Software UNRESTRICTED, changes are made to=20 >reflect amendments to the Wassenaar Arrangement. Specifically, encryption= =20 >software is no longer eligible for mass market treatment under the General= =20 >Software Note. Encryption commodities and software are now eligible for=20 >mass market treatment under the new Cryptography Note in Category 5 - Part= =20 >2 of the CCL. This Note multilaterally decontrols mass market encryption=20 >commodities and software up to and including 64-bits. So, if I read the draft correctly, no open source crypto software that's=20 strong enough to protect anyone's privacy against a marginally competent=20 code cracker can be exported, even under the new rules. Am I off base here?= =20 I hope I am, but I fear I'm not. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message