[1041] in Coldmud discussion meeting
Re: [COLD] encryption, DES, MD5, SHA-1(?)
daemon@ATHENA.MIT.EDU (Wed Jul 24 13:23:36 1996
)
To: Stephen Smoogen <smooge@duracef.shout.net>
cc: coldstuff@cold.org
In-reply-to: Your message of "Wed, 24 Jul 1996 10:26:48 CDT."
<Pine.LNX.3.91.960724102103.1541C-100000@duracef.shout.net>
Date: Wed, 24 Jul 1996 12:43:51 EDT
From: Greg Hudson <ghudson@mit.edu>
> With this in mind you might want to have it that people have to pick
> up the SSH-LEAY distreibtuion from Australia (I dont have the URL
> handy but can supply it later.) And have the ColdX user drop it in
> and compile with it.
This does not necessarily get you off. Some notes about the ITAR:
* Don't accept legal advice from someone who isn't a lawyer
without corroboration.
* I'm not a lawyer.
* The goal of the ITAR was to prevent you from exporting
cryptographic tools which could be easily used by foreign
governments to protect the secrecy of their communications.
The state department is not interested in preventing the
export of tools which allow you to protect the integrity of
communications (i.e. authentication systems), although if
you're exporting source code you may lose anyway (if the
source code contains easily separable cryptographic
procedures).
* I believe that people have gotten CJs on hashing algorithms
before (getting a CJ, or Commodities Jurisdiction, is how
you resolve questions over whether something is restricted
by the ITAR. You ask the Department of State to allow you
to export the product under the very much relaxed rules of
the Department of Commerce, which is how you normally export
things).
I believe there is a way to transform a hashing algorithm
into a cryptosystem (see _Applied Cryptography_ by
Schneier), but that may not count as "easily."
* CJs have been denied in the past on products which contained
no cryptographic algorithms, but had hooks for a
cryptosystem such that when you dropped in a cryptosystem
from outside the US, you got a tool which could protect
secrecy of communications. That's not quite what's been
proposed here (since Coldmud wouldn't be ensuring secrecy of
communications), but it's close enough to worry. (However,
if you have hooks for a compression system, and replace the
compression system with a cryptosystem outside the US, you
appear to be scott-free.)
* The ITAR is under attack both in the court system (in two
First Amendment challenges which are getting very different
results) and in Congress. I've heard multiple rumors that
the NSA has dropped its objections to repealing the ITAR
(for complicated reasons involving the military wanting to
buy off-the-shelf hardware), so most of the objections are
coming from the FBI, which wants to enforce key escrow for
domestic cryptography. Since the ITAR has no direct impact
on domestic cryptography, one would expect that the FBI
wouldn't have a leg to stand on here.
So it's possible that you can just wait out the ITAR.
Your best bet is probably to ship with MD5. Your likelihood of being
prosecuted under any circumstances is very low, in my estimation, but
I'm not a lawyer.