[Top] [All Lists]

Re: Proposed Extensions to TLS for OpenPGP

1998-01-01 19:40:27
At 7:00 PM -0800 12/31/97, EKR wrote:
Sorry I wasn't clear. The point I was trying to make was
that Netscape would still have to ship their export products, no?
Otherwise Fortify doesn't work, right? That said, there will be
a lot of people who don't bother to upgrade (just like there
are a lot of Americans who don't bother to get the domestic
Netscape.) Consequently, we've still got a lot of export
SSL implementations floating around. Does that seem like a 
reasonable assessment of the situation to you?

Like markets, in which there will always be some who pay more or less for the 
same item/service due primarily to their knowledge, there will be those who's 
communications will be more easily compromised and other's who will not. This 
is a job for the media and informed Netizens: to educate their brethern about 
how secure the software they use is against various individuals or 
organizations which would seek to read their email, and what they can do about 

Incidentally, I think this is probably a dangerous course of
action. The EAR <> 7 day review
criteria explicitly state:

  (iv) The software must not allow the alteration of the data 
encryption mechanism and its associated key spaces by the user or 
any other program

It seem that Fortify is a constructive proof that the program
in question violates this criterion. That doesn't mean it's
ineligible for CJ completely but I wouldn't want to try to get
approval for it either.

I'm sure the EAR enforcement folks are well aware of how well or poorly various 
software they approve for export adhere to regulation.  I'll leave it to the 
individual corporations and EAR to soft this out.

The point I was trying to make is that from a practical standpoint companies 
like Netscape need change nothing.  Just keep their code structured the same 
way and let unrelated 3rd parties "do the dirty work."


<Prev in Thread] Current Thread [Next in Thread>