[1041] in Coldmud discussion meeting

root meeting help first first in chain previous in chain previous next next in chain last in chain last

Re: [COLD] encryption, DES, MD5, SHA-1(?)

daemon@ATHENA.MIT.EDU (Wed Jul 24 13:23:36 1996 )

To: Stephen Smoogen <smooge@duracef.shout.net>
cc: coldstuff@cold.org
In-reply-to: Your message of "Wed, 24 Jul 1996 10:26:48 CDT."
             <Pine.LNX.3.91.960724102103.1541C-100000@duracef.shout.net> 
Date: Wed, 24 Jul 1996 12:43:51 EDT
From: Greg Hudson <ghudson@mit.edu>

> With this in mind you might want to have it that people have to pick
> up the SSH-LEAY distreibtuion from Australia (I dont have the URL
> handy but can supply it later.) And have the ColdX user drop it in
> and compile with it.

This does not necessarily get you off.  Some notes about the ITAR:

	* Don't accept legal advice from someone who isn't a lawyer
	  without corroboration.

	* I'm not a lawyer.

	* The goal of the ITAR was to prevent you from exporting
	  cryptographic tools which could be easily used by foreign
	  governments to protect the secrecy of their communications.

	  The state department is not interested in preventing the
	  export of tools which allow you to protect the integrity of
	  communications (i.e. authentication systems), although if
	  you're exporting source code you may lose anyway (if the
	  source code contains easily separable cryptographic
	  procedures).

	* I believe that people have gotten CJs on hashing algorithms
	  before (getting a CJ, or Commodities Jurisdiction, is how
	  you resolve questions over whether something is restricted
	  by the ITAR.  You ask the Department of State to allow you
	  to export the product under the very much relaxed rules of
	  the Department of Commerce, which is how you normally export
	  things).

	  I believe there is a way to transform a hashing algorithm
	  into a cryptosystem (see _Applied Cryptography_ by
	  Schneier), but that may not count as "easily."

	* CJs have been denied in the past on products which contained
	  no cryptographic algorithms, but had hooks for a
	  cryptosystem such that when you dropped in a cryptosystem
	  from outside the US, you got a tool which could protect
	  secrecy of communications.  That's not quite what's been
	  proposed here (since Coldmud wouldn't be ensuring secrecy of
	  communications), but it's close enough to worry.  (However,
	  if you have hooks for a compression system, and replace the
	  compression system with a cryptosystem outside the US, you
	  appear to be scott-free.)

	* The ITAR is under attack both in the court system (in two
	  First Amendment challenges which are getting very different
	  results) and in Congress.  I've heard multiple rumors that
	  the NSA has dropped its objections to repealing the ITAR
	  (for complicated reasons involving the military wanting to
	  buy off-the-shelf hardware), so most of the objections are
	  coming from the FBI, which wants to enforce key escrow for
	  domestic cryptography.  Since the ITAR has no direct impact
	  on domestic cryptography, one would expect that the FBI
	  wouldn't have a leg to stand on here.

	  So it's possible that you can just wait out the ITAR.

Your best bet is probably to ship with MD5.  Your likelihood of being
prosecuted under any circumstances is very low, in my estimation, but
I'm not a lawyer.