Eric and all,
EKR wrote:
Will, I'm not particularly interested in debating protocol
level crypto policy here. However, the crypto export laws
are reality for most people here, and I find your attempt to
imply that they're easily worked around fairly disingenuous.
True enough. I agree There are no easy work arounds. But
workarounds are really not the issue. US export and ITAR policy
is. You are correct however this is not a good forum to discuss
policy in that context.
Will Price <wprice(_at_)pgp(_dot_)com> writes:
At Pretty Good Privacy, we developed a reliable system which will be
continued by Network Associates. The outline: write source code for
product, print source code in book, distribute book using normal means.
Now the process becomes somewhat foggier. In any case, printed source code
for product gets exported -- note that this is of course legal.
Individuals outside the US scan source code. A legally exported binary
version of the product then becomes available internationally. Copyrights,
trademarks, and licenses protect the original vendor and revenue can be
made off the exported product. This is only one highly functional system
for getting this done.
It's hard to believe that this is really going to work for many
real programs.
No not many, correct but some. And this is part of the problem to
which I believe Will's point is trying to make here.
Have you seen the size of Netscape lately. Have
you noticed how often Netscape ships new versions? (I'm not
trying to pick on Netscape here. IE has similar characteristics.
There are plenty of other big programs but web browsers hae
particularly fast release cycles.)
Exactly what I believe Will was trying to make here.
insecure. Such stories reduce user faith in everybody's security products.
The only solution is public code review.
It's not obvious this makes much of a difference. Note that Sendmail
source code has been widely available since the beginning.
Some companies will undoubtedly never bring themselves to implementing one
of the above systems and will thus be relegated to snake oil security
internationally until the laws in the US change.
I think it's unreasonable to say that 40 bit crypto is "snake oil".
It's exactly as strong as advertised. There's no secret about the
situation.
No, not snake oil, but for most serious applications nearly worthless.
Let's not infect our protocols with such politics. TLS 1.0 is a done deal
as far as I'm concerned. SSL3 had export algorithms, so TLS1 does too,
fine. There are now many better solutions to the export problem,
Perhaps, but you haven't suggested any.
-Ekr
--
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."
Regards,
--
Jeffrey A. Williams
DIR. Internet Network Eng/SR. Java Development Eng.
Information Eng. Group. IEG. INC. (Soon to be INEG. INC) Stay tunned!
E-Mail jwkckid1(_at_)ix(_dot_)netcom(_dot_)com
Wisdom: "One who knows others is wise,
one who knows himself is enlightened."
Lao Tzu