Date: Sun, 2 May 1999 13:57:45 +0930 (CST) From: Kris Kennaway <kkennawa@physics.adelaide.edu.au> To: "Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu> Cc: Robert Watson <robert+freebsd@cyrus.watson.org>, Poul-Henning Kamp <phk@critter.freebsd.dk>, The Tech-Admin Dude <geniusj@phoenix.unacom.com>, Brian Beaulieu <brian@capital-data.com>, freebsd-security@freebsd.org Subject: Re: Blowfish/Twofish Message-ID: <Pine.OSF.4.10.9905021341310.22710-100000@bragg> In-Reply-To: <Pine.SOL.3.96L.990501230902.19529D-100000@unix13.andrew.cmu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 1 May 1999, Harry M. Leitzell wrote: > I am unaware of the restriction laws placed upon the US in terms of > encryption. Could someone clarify them for me? As I understand it, it's illegal to export products containing cryptography stronger than certain prescribed key lengths outside the US without a permit. There are exceptions, such as financial instititutions and subsidiaries of US companies, and recently "e-Commerce" client/server applications also (e.g. SSL-enabled commerce services, but not general-purpose web browsers), but for general-purpose applications you're limited to something like 40-bit and (limited) 56-bit encryption keys. There's been a lot of pressure on the US government to ease these restrictions (which they claim are targeted against "terrorists" using encryption to mask their activities) but progress has been slow in getting them to open up the regulations. > 1) If Robert were to write code on a machine that is in a foreign > country, would it have been considered exported? (Xterm on a cs.hut.fi > machine for example to code in) Even if he is in the US while doing so? Yes. Also if a foreigner were to download restricted crypto code from say an FTP server in the US then the owner of the site could conceivably be put up for treason charges :-) This is why FreeBSD (and other projects) either maintain their cryptography code outside the US (the OpenBSD project is housed in Canada), or have two separate repositories (domestic and international). I'd guess that synching "supporting" code changes unrelated to the actual encryption process between the two repositories is legal providing none of the actual cryptography-making code leaves the US. > 2) Can we still do the moving by paper to another country and > scanning it in? Is that legitimate or been deemed illegal? That's still a loophole, ISTR - it's how the PGP 5.0 sources were exported to finland and published there. Hmm..I recall half-hearing a story recently about a guy who found himself being classified as a munition after trying to "export" the restricted cryptography code which was written or tattooed onto his arm. Was I dreaming? :) > 3) If I write a disk encryptor that sits on the MBR and transfer the > disk out of country, is that a no-no? I'd say so. If these issues are relevant to you then I recommand you look into the exact regs further..they're fairly involved. Kris ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, That's sharp!" - Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9905021341310.22710-100000>