[Cryptography Team] Crypto for Squeak! Yea! (and msh-crypto)
Ron Teitelbaum
Ron at USMedRec.com
Thu Oct 27 15:13:39 CEST 2005
All,
I've been trying to deal with this issue off list. See:
http://rechten.uvt.nl/koops/cryptolaw/ . It would appear as Matthew points
out that Open Source is given a wavier for export issues with notification
to BXA.
"Unrestricted crypto source code (like most "open source" software) and
publicly available commercial source code (like "community source" code) can
be exported to any end-user under a license exception without a technical
review. BXA (BIS) must be given a copy or the URL of the source code. All
other source code can be exported under license exception after a technial
review to any non-government end-user. One may not, however, knowlingly
export source code to a terrorist country, although source code may be
posted on the WWW for downloading without the poster having to check whether
it is downloaded from a terrorist country."
I've written a lawyer suggested by someone in on Squeak-Dev but have not had
a response.
***Does anyone know a lawyer that could help with these issues? ***
We should work to resolve this issue as soon as possible.
The discussions with James at Cincom are still going on, but we are
currently stuck on licensing. We need a lawyer here also to help with the
negotiations.
Ron
-----Original Message-----
From: cryptography-bounces at lists.squeakfoundation.org
[mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf Of
Matthew S. Hamrick
Sent: Thursday, October 27, 2005 12:36 AM
To: cryptography at lists.squeakfoundation.org
Subject: [Cryptography Team] Crypto for Squeak! Yea! (and msh-crypto)
Hey Everybody!
I'm glad to hear there's interest for a 100% Smalltalk version of
crypto primitives. A long while ago I started work on the "Mobile
Security for Handhelds" Crypto package. Originally intended to be the
crypto layer for a squeak port to PalmOS, I eventually just decided
to work on it as a generic crypto package for Smalltalk.
You can find a changeset and a project file at http://
www.cryptonomicon.net/msh/squeak/ .
I've implemented a message digest infrastructure (including MD2, MD4,
MD5, SHA1, SHA256, and somewhere I have a SHA384, SHA512 and SHA1024
implementation.) I started a SymmetricStreamCipher abstract class and
a concrete implementation of ARC4. Somewhere I have a DES
implementation, but quite frankly it hasn't been at the top of my
mind lately.
Security and flexibility were at the top of the list of design
features, so I included the #clearSensitiveData method in the design
to ensure that sensitive bits get obliterated before they're GC'd. Of
course it's up to the developer to properly call these methods, but
they're there for when you need to call them.
I've talked to James about the CinCom implementation a couple of
times. On thing that's a little disturbing is that he tells me that
they haven't alerted BIS (formerly BXA) as to the existence of the
package. The current rules for US open source crypto developers are
that you have to alert the BIS (Bureau of Industry and Security)
before you export (i.e. - upload to a ftp site, post to a newsgroup,
or include in an email distribution that goes overseas) you're
supposed to send an email message to them telling them where they can
find a copy. I think this is to insure that it's really open source
and to provide them with a working copy should they find bad guys are
using your source. (saves them from having to reverse engineer the
code.) I could be wrong about this, but you probably want to double-
check with them...
It's probably worth noting that the msh-crypto package, while
incomplete, is distributed under a BSD style license that allows
commercial and non-commercial uses and derivative works.
_______________________________________________
Cryptography mailing list
Cryptography at lists.squeakfoundation.org
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
More information about the Cryptography
mailing list