Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Jul 1995 05:04:42 -0700 (PDT)
From:      "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com>
To:        tweten@frihet.com
Cc:        mark@grondar.za, pst@stupi.se, rgrimes@FreeBSD.ORG, security@FreeBSD.ORG, freebsd-foreign-secure@grondar.za
Subject:   Re: secure/ changes...
Message-ID:  <199507261204.FAA25100@gndrsh.aac.dev.com>
In-Reply-To: <199507261041.DAA08423@tale.frihet.com> from "David E. Tweten" at Jul 26, 95 03:41:18 am

next in thread | previous in thread | raw e-mail | index | archive | help
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Rodney W. Grimes wrote:
> > PGP is a one way hash function, it is not encryption software, thus it
> > does not fall on the munitions lists, thus it is not restricted.
> 
> Bzzzt!  Wrong!  PGP uses the RSA public key algorythm, the IDEA private key 
> algorythm and the MD5 secure hash algorythm to provide a reasonably efficient 
> implementation of public key cryptography and digital signature.  As such, it 
> does come under munitions restrictions.  If you don't believe me, ask the 
> Federal Prosecutor in San Jose, California, and Phil Zimmermann's lawyer.  
> PGP's author, Zimmermann, is currently under investigation for violation of 
> exactly the munitions regulations you mentioned, by virtue of the fact that
> an 
> early version of PGP escaped the U.S. via anonymous FTP. 
> That's *exportation*.
> 

I have already replied that I had crossed my wires between PGP and MD5. I
am not an export on what all this different software is, does, or how
it works, but I do know a fair bit of ``law'' and play the import export
business week to week.

We are all in agreement that A) DES and cryptography software is on the
munitions lists, B) that _export_ of munitions is restricted by at least
1 US Federal law and C) all imports and exports must pass through customs,
and thus are at least ``regulated'' [I think we all agree this last one
is true, note the world ``regulated'' vs ``restricted'', very important.]

> > DES is encryption software, it is on the munitions lists, munitions export
> > AND import is regulated by the US federal government, both the State
> > Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have
> > regulations controlling imports to the US of any and all ``munitions''.
> 
> As it turns out, the IDEA algorythm (invented in Europe, and imported into
> the 
> U.S. with no restrictions, except as relates to subsequent re-exportation) is 
> a direct, and apparently superior, competitor to DES.  Instead of a 56-bit 
> key, IDEA uses a 128-bit key.  Unlike DES, IDEA is reputed to be impervious
> to 
> any attack short of guessing its key.  And IDEA is an integral part of PGP.

The quality of algorithms is not a factor to this discussion :-).  I could
write a crypto package that a 10 year old could crack, it could very well
fall under the same ``restrictions'' as DES.  There is no statement of
algorithm strength in the law :-(.

> > Various import and export paper work from UPS, Federal Express, and DLH
> > all state that ``firearms'' and or ``munitions'' are regulated for import
> > and export and require special paper work.
> 
> Munitions imports may well be regulated (through Commerce, if my memory 
> serves), but those regulations are so light as not to be noticible for 
> cryptographic software.

Yes, all importing is regulated by at least Commerce, and then depending
on just what it is there are a whole other pile of things that can regulate
it.  Textiles import, belive it or not, can be a royal mess to deal with.

As can petroleum products, or any thing subject to import taxation.

Importing firearms is very well regulated, you just try to get a shipment
pass US import customs with ``munitions'' on the commercial invoice without
all the proper paper work.  They may very overlook DES labeled as floppy
disks, or software, but label as munitions is going to raise a big red
flag.

> > I do not have a direct reference to the State Department munitions list,
> > or the applicable ATF regulations, but I do assure you they exists, and
> > they are inforced (reference, Austin Code Works was indited in 1994 by
> > the US State Department for shipping DES software out of the US on CDROM).
> 
> As you point out, exportation of crypto, even the relatively innocuous and 
> widely published DES, is strictly (and irrationally) regulated.  You are
> still 
> the only person who I have ever seen maintain that crypto *importation* is 
> restricted in the U.S.  That is in contrast to a flood of evidence I've seen 
> to suggest the opposite.

But do you have _solid_ evidence, and have you dealt first hand with
import and export paper work?  Do you know what a Commercial Invoice is?
Are you aware that any US import without either a SSN or EIN of the
recipient on the import paper work will be held by customs until that
information is provided (imports of $1250 that is)?

Do you have any idea what a**es US customs can be on the tiniest detail?

> 
> Care to reconsider?

No, as no _solid_ evidence has been presented, this is all here say.

Show me a Commercial Invoice for a US import shipment that clearly marks
it as containing munitions in the form of DES and I'll buy it.  Or show
me that DES is _not_ restricted for import in a US commerce, AFT, or
State department import documentation, then I will reconsider my point
of view.

Or show me an import ``expert'' who agrees with your conclusions.

-- 
Rod Grimes                                      rgrimes@gndrsh.aac.dev.com
Accurate Automation Company                 Reliable computers for FreeBSD



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199507261204.FAA25100>