Will, I'm not particularly interested in debating protocol
level crypto policy here. However, the crypto export laws
are reality for most people here, and I find your attempt to
imply that they're easily worked around fairly disingenuous.
Will Price <wprice(_at_)pgp(_dot_)com> writes:
At Pretty Good Privacy, we developed a reliable system which will be
continued by Network Associates. The outline: write source code for
product, print source code in book, distribute book using normal means.
Now the process becomes somewhat foggier. In any case, printed source code
for product gets exported -- note that this is of course legal.
Individuals outside the US scan source code. A legally exported binary
version of the product then becomes available internationally. Copyrights,
trademarks, and licenses protect the original vendor and revenue can be
made off the exported product. This is only one highly functional system
for getting this done.
It's hard to believe that this is really going to work for many
real programs. Have you seen the size of Netscape lately. Have
you noticed how often Netscape ships new versions? (I'm not
trying to pick on Netscape here. IE has similar characteristics.
There are plenty of other big programs but web browsers hae
particularly fast release cycles.)
insecure. Such stories reduce user faith in everybody's security products.
The only solution is public code review.
It's not obvious this makes much of a difference. Note that Sendmail
source code has been widely available since the beginning.
Some companies will undoubtedly never bring themselves to implementing one
of the above systems and will thus be relegated to snake oil security
internationally until the laws in the US change.
I think it's unreasonable to say that 40 bit crypto is "snake oil".
It's exactly as strong as advertised. There's no secret about the
situation.
Let's not infect our protocols with such politics. TLS 1.0 is a done deal
as far as I'm concerned. SSL3 had export algorithms, so TLS1 does too,
fine. There are now many better solutions to the export problem,
Perhaps, but you haven't suggested any.
-Ekr
--
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."