All,
I just wanted to give everyone an update on what's going on. So far we have reached an agreement with the SqueakFoundation to allow us to establish a relationship with the Software Freedom Law Center. They are currently working on official US Cryptography Export Notification. Once that notification is done and we receive a response from the government validating that we did things properly, we will open back up the repository. It also appears that there is little we can do to figure out export requirements for other countries. Cees mentioned that there are no export requirements where he is. Maybe we could start a list of contributors and countries and what the requirements in each country are. Does anyone else outside the US know what the cryptography
Also once the relationship is settled we will again approach Cincom about a port of their cryptography code. (Sean have you heard any new comments from James?) In the mean time I am still working through ASN.1.
We have a new official Team Member: Paul Davidowitz. Paul and I have worked before he is a very solid programmer. We have discussed ASN.1 and Paul is working through some possible designs. Please welcome Paul to the team!
Also if you have subscribed to this list and would like to join the team, please speak up and let us know. The repository is closed now and is only available to official cryptography team members.
Thanks everyone for your patience while we work through these startup issues,
Ron Teitelbaum
Cryptography Team Leader
I haven't heard from Jim on the matter the last I heard he said he sent it upstream and they are considering it. I will email him again and ask.
Sean
_____
From: cryptography-bounces@lists.squeakfoundation.org [mailto:cryptography-bounces@lists.squeakfoundation.org] On Behalf Of Ron Teitelbaum Sent: Tuesday, November 15, 2005 10:18 PM To: 'Cryptography Team Development List' Subject: [Cryptography Team] Team Update
All,
I just wanted to give everyone an update on what's going on. So far we have reached an agreement with the SqueakFoundation to allow us to establish a relationship with the Software Freedom Law Center. They are currently working on official US Cryptography Export Notification. Once that notification is done and we receive a response from the government validating that we did things properly, we will open back up the repository. It also appears that there is little we can do to figure out export requirements for other countries. Cees mentioned that there are no export requirements where he is. Maybe we could start a list of contributors and countries and what the requirements in each country are. Does anyone else outside the US know what the cryptography
Also once the relationship is settled we will again approach Cincom about a port of their cryptography code. (Sean have you heard any new comments from James?) In the mean time I am still working through ASN.1.
We have a new official Team Member: Paul Davidowitz. Paul and I have worked before he is a very solid programmer. We have discussed ASN.1 and Paul is working through some possible designs. Please welcome Paul to the team!
Also if you have subscribed to this list and would like to join the team, please speak up and let us know. The repository is closed now and is only available to official cryptography team members.
Thanks everyone for your patience while we work through these startup issues,
Ron Teitelbaum
Cryptography Team Leader
On 11/16/05, Ron Teitelbaum Ron@usmedrec.com wrote:
Cees mentioned that there are no export requirements where he is.
Probably not 100% correct because The Netherlands signed the Wassenaar Treaty, but it's not an issue over here.
The only other country that readily pops up into my mind that made trouble over crypto export is or was France. I don't know what the current situation is, but if I'd were a French citizen I'd check this up. I think the French government took a more liberal stance a couple of years ago but I'm not sure.
All,
Is anyone on the team that is contributing code a French Citizen?
Ron
_____
From: cryptography-bounces@lists.squeakfoundation.org [mailto:cryptography-bounces@lists.squeakfoundation.org] On Behalf Of Cees De Groot Sent: Wednesday, November 16, 2005 2:44 AM To: Ron@usmedrec.com; Cryptography Team Development List Subject: Re: [Cryptography Team] Team Update
On 11/16/05, Ron Teitelbaum Ron@usmedrec.com wrote:
Cees mentioned that there are no export requirements where he is.
Probably not 100% correct because The Netherlands signed the Wassenaar Treaty, but it's not an issue over here.
The only other country that readily pops up into my mind that made trouble over crypto export is or was France. I don't know what the current situation is, but if I'd were a French citizen I'd check this up. I think the French government took a more liberal stance a couple of years ago but I'm not sure.
Cees,
You know it's getting better but the only way I could read any of this was to translate Dutch into Spanish and then to English. As you can guess I lost a lot along the way. Could you read through this find the section that applies to your situation, put together a proper quote that says you are ok, and what requirements you have, so we can post it for others in the Netherlands?
http://www.ez.nl/content.jsp?objectid=18441
This comes from: http://www.wassenaar.org/secadmin/contacts.htm#UK
This might be helpful in the future figuring out cryptography export issues.
Thanks,
Ron Teitelbaum
_____
From: Cees De Groot [mailto:cdegroot@gmail.com] Sent: Wednesday, November 16, 2005 2:44 AM To: Ron@usmedrec.com; Cryptography Team Development List Subject: Re: [Cryptography Team] Team Update
On 11/16/05, Ron Teitelbaum Ron@usmedrec.com wrote:
Cees mentioned that there are no export requirements where he is.
Probably not 100% correct because The Netherlands signed the Wassenaar Treaty, but it's not an issue over here.
The only other country that readily pops up into my mind that made trouble over crypto export is or was France. I don't know what the current situation is, but if I'd were a French citizen I'd check this up. I think the French government took a more liberal stance a couple of years ago but I'm not sure.
On 11/16/05, Ron Teitelbaum Ron@usmedrec.com wrote:
Could you read through this find the section that applies to your situation, put together a proper quote that says you are ok, and what requirements you have, so we can post it for others in the Netherlands?
I'll give the ministry a ring - crypto code falls under the Wassenaar Treaty and is thus under export controls under current Dutch laws, but it's not clear whether there are any exceptions for open source.
I did see some references to that effect. Some people were saying in the past that having the US sign the Treaty would help to open up export since there is an exception for open source projects. I'm guessing it's in there, but finding out for sure would be terrific.
Ron
-----Original Message----- From: Cees De Groot [mailto:cdegroot@gmail.com] Sent: Wednesday, November 16, 2005 9:26 AM To: Ron@usmedrec.com Cc: Cryptography Team Development List Subject: Re: [Cryptography Team] Team Update
On 11/16/05, Ron Teitelbaum Ron@usmedrec.com wrote:
Could you read through this find the section that applies to your situation, put together a proper quote that says you are
ok,
and what requirements you have, so we can post it for others in the Netherlands?
I'll give the ministry a ring - crypto code falls under the Wassenaar Treaty and is thus under export controls under current Dutch laws, but it's not clear whether there are any exceptions for open source.
On 11/16/05, Ron Teitelbaum Ron@usmedrec.com wrote:
I did see some references to that effect. Some people were saying in the past that having the US sign the Treaty would help to open up export since there is an exception for open source projects. I'm guessing it's in there, but finding out for sure would be terrific.
It might be in the treaty, but I didn't find it back in the law ;). I was too late to ring them, so I sent them a mail - probably have an answer by the weekend.
Hey...
Are we working on a general purpose ASN.1 compiler / BER codec or just enough ASN.1 to parse certs and PKCS blobs?
I might recommend we design an interface for the former but simply implement the latter. BER / DER encoding can be a little ugly at times. I've written several "highly-focused" BER / DER decoders in Java, and can tell you that scope creep is NOT your friend. ("Highly focused" in this context means specific to the ASN.1 for a particular application.)
I think someone mentioned Dubuisson's book on ASN.1, the PDF of which is available for free download. While I believe that Dubuisson's book is an excellent read, there's more to ASN.1 than BER/DER encoding, and you might wind up wasting a little bit of time by trying to implement _everything_. You might want to check out Burt Kaliski's "Layman's guide to a subset of ASN.1, BER, and DER". Available in text format at ftp://ftp.rsa.com/pub/pkcs/ascii/layman.asc .
-Cheers! -Matt H.
On Nov 15, 2005, at 7:18 PM, Ron Teitelbaum wrote:
Also once the relationship is settled we will again approach Cincom about a port of their cryptography code. (Sean have you heard any new comments from James?) In the mean time I am still working through ASN.1.
We have a new official Team Member: Paul Davidowitz. Paul and I have worked before he is a very solid programmer. We have discussed ASN.1 and Paul is working through some possible designs. Please welcome Paul to the team!
Thanks for the link, I will read through it.
My thoughts were to evaluate Cees comments about ASN.1 needing to be implementation specific, but I have a strong preference for a general purpose solution. There has been a lot done in the compiler area that doesn't apply to Smalltalk. I would at least like to add as much functionality as the C community is getting from an ASN complier. I'm still speaking from ignorance here, but my first impressions are, to allow the building of an ASN structure using ASN specific classes, and to allow the structure to read from / write to objects through a TopLink like meta definition attached to classes, with more information like how to navigate links. That way the structure could translate directly using some form of root object to gather data. It would seem to me that that structure would be pretty flexible and general purpose, but it needs more flushing out.
To say it again:
ASN notation builds ASN Structure of objects in Squeak.
ASN Structure Traverses a Root Object Meta Data Structure to retrieve data from itself or other linked objects.
The ANS Structure Class would be responsible for BER / DER encoding.
The Developer / User would be responsible for running the notation to create the structure, then defining meta data on domain objects to get and write data based on some root object (s).
I'm sure you have a lot more experience with this, and I am still learning. The parser that creates the structure would do validation which may be the most difficult part (as Cees pointed out earlier). Having the meta data coordinate encoding on the ANS Structure should simplify things some, much in the way that TopLink simplifies SQL query building. What do you think of the potential of the design and its ability to provide similar value as users currently get form asn compilers?
Ron Teitelbaum
_____
From: Matthew S. Hamrick [mailto:mhamrick@cryptonomicon.net] Sent: Wednesday, November 16, 2005 1:38 PM To: Ron@USMedRec.com; Cryptography Team Development List Subject: Re: [Cryptography Team] Team Update
Hey...
Are we working on a general purpose ASN.1 compiler / BER codec or just enough ASN.1 to parse certs and PKCS blobs?
I might recommend we design an interface for the former but simply implement the latter. BER / DER encoding can be a little ugly at times. I've written several "highly-focused" BER / DER decoders in Java, and can tell you that scope creep is NOT your friend. ("Highly focused" in this context means specific to the ASN.1 for a particular application.)
I think someone mentioned Dubuisson's book on ASN.1, the PDF of which is available for free download. While I believe that Dubuisson's book is an excellent read, there's more to ASN.1 than BER/DER encoding, and you might wind up wasting a little bit of time by trying to implement _everything_. You might want to check out Burt Kaliski's "Layman's guide to a subset of ASN.1, BER, and DER". Available in text format at ftp://ftp.rsa.com/pub/pkcs/ascii/layman.asc .
-Cheers!
-Matt H.
On Nov 15, 2005, at 7:18 PM, Ron Teitelbaum wrote:
Also once the relationship is settled we will again approach Cincom about a port of their cryptography code. (Sean have you heard any new comments from James?) In the mean time I am still working through ASN.1.
We have a new official Team Member: Paul Davidowitz. Paul and I have worked before he is a very solid programmer. We have discussed ASN.1 and Paul is working through some possible designs. Please welcome Paul to the team!
cryptography@lists.squeakfoundation.org