ietf-openpgp
[Top] [All Lists]

Re: Proposed Extensions to TLS for OpenPGP

1997-12-30 04:09:02
William H. Geiger III wrote:
In <34A88EC3(_dot_)7B2C1260(_at_)netscape(_dot_)com>, on 12/30/97
   at 01:03 AM, Tom Weinstein <tomw(_at_)netscape(_dot_)com> said:

While I support the ideal of building standards that use strong crypto,
it does nobody any good to create a standard which won't get
implemented.  The export ciphers exist because in order for US software
manufacturers to use TLS, they have to be able to export the software
that includes it.  It is certainly true that there are many software
developers who live in the free world, but those of us stuck in the US
still need to sell software.

But who in their right minds are going to buy it??

Products compete along more than one axis.  It's a sad fact that much of
the most usable software is also some of the least secure.  It would be
great if the most popular product could always be the most secure, but it
doesn't always work out that way.  Do I really have to explain this to
anyone?

I for one would *never* recomend to my overseas clients to use crippled
US export crypto products. There are just too many people writting
non-crippled software to justify it.

At the very least one would think that the US vendors would put thier
crypto code in one DLL and document the API so someone overseas could
replace it with somthing worth using. <sigh> I guess even that is too
much to ask.

If the US government would let us, you better believe we'd do it.  We have
no vested interest in helping the NSA eavesdrop on people.  We make money
by selling software that meet our customers' needs, and that includes being
secure.

The strategy you describe is called "crypto with a hole", and is explicitly
forbidden by the export regs.

-- 
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice.  You must understand Tao before      | 
tomw(_at_)netscape(_dot_)com
transcending structure.  -- The Tao of Programming   |