At 7:00 PM -0800 12/31/97, EKR wrote:
Sorry I wasn't clear. The point I was trying to make was
that Netscape would still have to ship their export products, no?
Otherwise Fortify doesn't work, right? That said, there will be
a lot of people who don't bother to upgrade (just like there
are a lot of Americans who don't bother to get the domestic
Netscape.) Consequently, we've still got a lot of export
SSL implementations floating around. Does that seem like a
reasonable assessment of the situation to you?
Like markets, in which there will always be some who pay more or less for the
same item/service due primarily to their knowledge, there will be those who's
communications will be more easily compromised and other's who will not. This
is a job for the media and informed Netizens: to educate their brethern about
how secure the software they use is against various individuals or
organizations which would seek to read their email, and what they can do about
it.
Incidentally, I think this is probably a dangerous course of
action. The EAR <http://www.bxa.doc.gov/supp6.htm> 7 day review
criteria explicitly state:
(iv) The software must not allow the alteration of the data
encryption mechanism and its associated key spaces by the user or
any other program
It seem that Fortify is a constructive proof that the program
in question violates this criterion. That doesn't mean it's
ineligible for CJ completely but I wouldn't want to try to get
approval for it either.
I'm sure the EAR enforcement folks are well aware of how well or poorly various
software they approve for export adhere to regulation. I'll leave it to the
individual corporations and EAR to soft this out.
The point I was trying to make is that from a practical standpoint companies
like Netscape need change nothing. Just keep their code structured the same
way and let unrelated 3rd parties "do the dirty work."
--Steve