Features Download
From: Dean Willis <dean.willis <at> softarmor.com>
Subject: Re: [ietf-privacy] wrt tcpcrypt and obscrypt
Newsgroups: gmane.ietf.obscurity
Date: Monday 18th April 2011 21:23:49 UTC (over 6 years ago)
On Apr 13, 2011, at 3:59 AM, [email protected] wrote:

> On Tue, Apr 12, 2011 at 11:58:14PM -0500, Dean Willis wrote:
>> On Apr 12, 2011, at 12:16 PM, [email protected] wrote:
>>> I don't think it is a trivial matter to have the IETF working on
confidentiality & privacy by mandating strong
>>> encryption in Internet (global) standards.  I suspect the intersection
of national laws and  technical standards
>>> is going to be a difficult road to walk, esp if there is a desire for a
global standard.
>> We should perhaps focus on publishing technically correct standards with
as few security flaws and weaknesses as we can manage. Trying to decide
whether the specification can be legally implemented in Jurisdiction X, Y,
Z, and so on is an impossibly large problem.
> 	no problem with that... however - at least in the US and as a US
national, I don't think I can
> 	(with out filing forms and getting permission -ahead- of time) work on
> 	techniques in an open forum.  and I am pretty sure that other sovreigns
have the same issues.

Sue you can. You just can't export executable code for a certain subset of
applications without prior EAR approval. I'm not a lawyer, but I have
coordinated export for a company that was shipping SIP proxies with TLS
support for signaling. Actually, it was more like cleaning up the situation
for a company that had been accidentally exporting such function without
having done all the needed paperwork, but it's clearly doable.

Even in the US, a fairly broad range of applications in unrestricted. This
includes a cryptographic applications that do not have generic data-object
encryption as their primary function, including crypto for copy protection,
digital rights restriction, and arguably (having argued this with apparent
success for SIP/TLS) protection of signaling to/from a service platform.

Even exporting products containing the code for general purpose encryption
of the sorts used in most IETF specs is a fairly straightforward reporting
exercise. If it weren't, you wouldn't see anybody running an Apache web
server, and you wouldn't be able to download the J2EE SDK from
Oracle//Sun/whatever owns it today.

Yes, Phil Z may have been arrested over PGP, but that was arguably as much
an intellectual-property snit with RSA as it was an export control issue.
And as you may recall, the case eventually faded away, though things were a
bit tense for awhile.


> 	its not just the code, its illegal to share work on some of these topics
in some venues.
> 	this is a topic that -REALLY- needs to have the ISOC/IETF legal team
look at closely before
> 	we engineers go off half-cocked and get ourselves, our employers, and
the IETF into international
> 	legal trouble.

The IETF has quite effectively published dozens of RFCs for SSL, TLS, PKIX,
DTLS, SRTP/DTLS, and now ZRTP. We've also published lots of higher-level
specs that reference these at  a "MUST implement" level. It's been looked
at fairly closely. It seems unlikely that we'd be faulted for  pushing the
specs a little further to add "MUST NOT implement a null cipher"

So, Kanuckistan or other locales might restrain their citizens from
participation. They probably don't let them leave the country to attend
IETF meetings either, so who cares what their rules are? We're not going to
force them to develop the capacity to engage in international business; if
a nation really wants to be a stagnant backwater with a starving citizenry
and intellectually inbred leadership they can just choose not to play

CD: 3ms