export regulations (was: [Cryptography Team] msh-crypto design
andtests)
Sean Glazier
sglazier at comcast.net
Fri Oct 28 04:22:54 CEST 2005
All the algorithms we have used have been made public and there are
implementations all over the internet. I do believe we talked with Cincom
legal a while back and they said don't worry about them so I didn't give it
another thought. And I do think they mean what that says so if you develop
something that uses weak key you got to tell them. I guess so they can snoop
on the fools using it. Trying to control crypto libraries is like trying to
un ring a bell after it has gone off. According to the check list
http://www.bis.doc.gov/encryption/ChecklistInstr.htm your are only required
to do so if it is using weak keys. I am sure that is a typo. In any case
Cincom legal should take a look at our stuff again and the law.
Sean
-----Original Message-----
From: cryptography-bounces at lists.squeakfoundation.org
[mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf Of Chris
Muller
Sent: Thursday, October 27, 2005 9:04 PM
To: cryptography at lists.squeakfoundation.org
Subject: export regulations (was: [Cryptography Team] msh-crypto design
andtests)
> I've talked to James about the CinCom implementation a couple of
> times. On thing that's a little disturbing is that he tells me that
> they haven't alerted BIS (formerly BXA) as to the existence of the
> package. The current rules for US open source crypto developers are
> that you have to alert the BIS (Bureau of Industry and Security)
> before you export (i.e. - upload to a ftp site, post to a newsgroup,
> or include in an email distribution that goes overseas) you're
> supposed to send an email message to them telling them where they can
> find a copy. I think this is to insure that it's really open source
> and to provide them with a working copy should they find bad guys are
> using your source. (saves them from having to reverse engineer the
> code.) I could be wrong about this, but you probably want to double-
> check with them...
I must say you have shocked me out of ignorance. Or, rather, this did:
http://www.bis.doc.gov/Encryption/nlr.htm
This makes no sense..
"The following items require such notification:
* Mass market encryption commodities and software with key lengths not
exceeding 64-bits;
* Encryption items (including key management products and company
proprietary implementations) with key lengths not exceeding 56-bits for
symmetric algorithms, up to 512-bits for asymmetric key exchange algorithms,
and 112 bits for elliptic curve algorithms."
The (already exported) algorithms can be configured for larger key sizes, is
this talking about default values for key lengths?
But it looks like their stenographer got it backward..! It says, "the
following items REQUIRE notification" but then they specify key sizes "NOT
exceeding" but they surely mean exceeding. Unreal.
I was on the verge of "exporting" a domain of security classes leveraging
our
Cryptography package. Is this about the stinkin' default values? You may
have
saved me from jail..
_______________________________________________
Cryptography mailing list
Cryptography at lists.squeakfoundation.org
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
More information about the Cryptography
mailing list