I am interested in the Privacy Enhanced Mail, PEM. I would
appreciate you sending me more information.
Your question was sent to the PEM developers discussion list. There is no
secretariate function that would correspond to the "you" in your sentence, but
I'm attaching some info0rmation as to get more details.
We have field offices in CIS countries such as Moldova, Armenia,
etc.
Can I use PEM in the countries mentioned ?
There are at least three issues involved in that question:
1. Can I USE PEM in those countries? Maybe, but some countries have quite
strict laws regarding either the IMPORTATION or USE of encryption technology.
You'ld better check with your legal cousel.
2. Can I EXPORT PEM from the US (or from any other country that has a locally
developed implementation)? Yes, but you have to get an export license from the
US Dept. of State, as encryption technology in the US is subject to the
International Traffic in Arms Regulations. Export licenses are sometimes
granted to US companies doing business in the CIS, depending on how the
materials would be controlled, but it is not common. What the situation would
be for an international organization such as the World Bank is far beyond my
understanding. Export controls generally involve the State Department (which
consults the Department of Defense) and the Department of commerce. However,
banking applications also involve the Department of the Treasury, and have
tradiionally been granted a more liberal use. My advice would be to get the
diplomats involved.
3. Can I use PEM to SEND messages from one country to Moldava, Armenia, Russia,
etc.? Maybe, and maybe not. There are no controls imposed in the United States
(so far!) regarding the USE of encryption technology, either domestically or
internationally. The same is NOT true for all other countries, e.g., France,
and some of the Scandanavian/Nordic countries, where special arrangements may
have to be made to deposit the encryption keys with the government or there may
be special concerns regarding privacy issues. Encrypted broadcast messages sent
from your headquarters to multiple countries might cause a number of problems.
Generally speaking, the controls that are placed on digital signature
technology are much less onerous than those place on encryption, so if you only
need to validate the authenticity of message you may have an easier time. there
are versions of RSAREF and RIPEM that have blanket approvals for export frm the
US because they only implement digital signatures.
As a final note, the controls in this area are falling apart as a result of the
ebb and flow in East/West relations, with an increasing emphasis being placed
on some North/South concerns and specific regimes. The US still maintains
unilateral controls, but the rest of the former COCOM countries may not.
Recently, Russia has applied for and been granted a special status as a
affiliate (or sometihng) COCOM country, as they are concenred about the
proliferation of military technology to the third world as well.
If all else fails and you solve the export problem from the US, you might look
around for implementations in other countries. I'll let individuals on this
list introduce themselves to you private, but there are people from
Switzerland, Roumania, Sweden, Germany, the UK, France, Japan, and probably
lots more that might be able to help you find an indigenous source for PEM. I'm
not aware of any from the countries you mentioned, but I wouldn't be surprised.
You might also check with the Rusians themselves!
Good luck -- you have some tough problem ahead of you, at least if you try to
be legal and above board. (On the other hand, it is a little hard to imagine
prosecuting the World Bank!)
Bob
--------------------------------
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
FAX: 1-617-466-2603
Voice: 1-617-466-2820
From: List Master (agent: David Balenson) <pem-dev-request(_at_)tis(_dot_)com>
Date: Fri, 06 Jan 1995 14:15:10 EST
To: Jueneman(_at_)gte(_dot_)com
Cc:
Subject: Re: about pem-dev
PEM-DEV is a mailing list for discussions related to the development and
deployment of Privacy Enhanced Mail (PEM) systems.
WHAT IS PEM?
PEM is an IAB standards track protocol for the Internet community, and
is now a Proposed Standard Protocol.
PEM specifies protocol extensions and processing procedures for
cryptographic-based message encipherment and authentication for
electronic mail transferred using the Internet mail protocols. PEM
includes the specification of a supporting key management architecture
and infrastructure, based on public key certificates. The key
management architecure is compatible with the authentication framework
described in CCITT X.509, The Directory - Authentication Framework.
PEM is defined in a series of four documents:
RFC 1421: Privacy Enhancement for Internet Electronic Mail:
Part I: Message Encryption and Authentication Procedures
RFC 1422: Privacy Enhancement for Internet Electronic Mail:
Part II: Certificate-Based Key Management
RFC 1423: Privacy Enhancement for Internet Electronic Mail:
Part III: Algorithms, Modes, and Identifiers
RFC 1424: Privacy Enhancement for Internet Electronic Mail:
Part IV: Key Certification and Related Services
Various organizations are jointly developing RFC-compliant software for
deployment in the Internet in order to encourage the use and
development of RFC-based privacy enhanced mail systems.
WHAT IS THE PEM-DEV MAILING LIST?
The PEM-DEV mailing list is intended to cover a wide range of
discussion including:
o General discussion among the members of the Internet Engineering
Task Force (IETF) PEM Working Group.
o Issues related to the protocol extensions and message
processing procedures and the key management architecture and
infrastructure.
o Issues related to the development and deployment of privacy
enhanced mail systems, including technical issues, development
status, availability, etc.
Please send contributions to the list proper to "pem-dev(_at_)tis(_dot_)com".
Administrivia, e.g., additions to or deletions from the list, should be
sent to "pem-dev-request(_at_)tis(_dot_)com".
-David Balenson <pem-dev-request(_at_)tis(_dot_)com>
From: List Master (agent: David Balenson) <pem-dev-request(_at_)tis(_dot_)com>
Date: Fri, 06 Jan 1995 14:42:11 EST
To: Jueneman(_at_)gte(_dot_)com
Cc:
Subject: Re: Getting PEM-DEV Archives
HOW CAN I ACCESS THE PEM-DEV ARCHIVES?
The PEM-DEV archives are available via anonymous FTP. To retrieve
access the archives, please FTP to:
host: ftp.tis.com
login: anonymous
The archives are located in the directory pub/PEM-DEV/archives. Please
see the file pub/PEM-DEV/README for details.
The archives are also available via electronic mail by sending a
message to "pem-dev-request(_at_)tis(_dot_)com". The message must contain two
fields, a Subject field and a Reply-To field, which must be located and
formatted as described below:
(1) The Subject field of the message must be located in the headers of
the message, and must be formatted as follows:
Subject: get pem-dev archive volume VOL number NUM
where "VOL" is the volume number of the digest and "NUM" is the
number of that volume. Do NOT including leading zeroes. The
volume number changes when it is convenient for the maintainer, not
at specific intervals.
(2) The Reply-To field can be located either in the body or in the
headers of the message, and must be formatted as follows:
Reply-To: ADDRESS
where "ADDRESS" is your address AS IT WOULD LOOK TO MY HOST. I
will help you determine that address if you need it. If you place
the "reply-to" in the headers rather than the body, you must be
certain that it will be altered properly along the path to me so
that it reflects the proper return address.
The sixth (6th) volume is currently under construction.
An index is available for each volume. It may be retrieved by
requesting number 0 of the desired volume. The index consists of a
collection of the subject lines of all messages in all the digests of
the requested volume, preceded by the digest number in which that
subject line appears.
-David Balenson <pem-dev-request(_at_)tis(_dot_)com>