[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed Extensions to TLS for OpenPGP

To: <ietf-tls@xxxxxxxxxxxxx>
Subject: Re: Proposed Extensions to TLS for OpenPGP
From: EKR <ekr@xxxxxxxxxx>
Date: 30 Dec 1997 23:15:24 -0800
Cc: ietf-open-pgp@xxxxxxx
In-reply-to: Will Price's message of Tue, 30 Dec 1997 20:01:03 -0800
References: <>
Sender: owner-ietf-open-pgp@xxxxxxx

Will, I'm not particularly interested in debating protocol
level crypto policy here. However, the crypto export laws
are reality for most people here, and I find your attempt to
imply that they're easily worked around fairly disingenuous.

Will Price <wprice@xxxxxxx> writes:
> At Pretty Good Privacy, we developed a reliable system which will be
> continued by Network Associates.  The outline: write source code for
> product, print source code in book, distribute book using normal means.
> Now the process becomes somewhat foggier.  In any case, printed source code
> for product gets exported -- note that this is of course legal.
> Individuals outside the US scan source code.  A legally exported binary
> version of the product then becomes available internationally.  Copyrights,
> trademarks, and licenses protect the original vendor and revenue can be
> made off the exported product.  This is only one highly functional system
> for getting this done.
It's hard to believe that this is really going to work for many
real programs. Have you seen the size of Netscape lately. Have
you noticed how often Netscape ships new versions? (I'm not
trying to pick on Netscape here. IE has similar characteristics.
There are plenty of other big programs but web browsers hae
particularly fast release cycles.)

> insecure.  Such stories reduce user faith in everybody's security products.
> The only solution is public code review.
It's not obvious this makes much of a difference. Note that Sendmail
source code has been widely available since the beginning.

> Some companies will undoubtedly never bring themselves to implementing one
> of the above systems and will thus be relegated to snake oil security
> internationally until the laws in the US change.
I think it's unreasonable to say that 40 bit crypto is "snake oil".
It's exactly as strong as advertised. There's no secret about the
situation.

> Let's not infect our protocols with such politics.  TLS 1.0 is a done deal
> as far as I'm concerned.  SSL3 had export algorithms, so TLS1 does too,
> fine.  There are now many better solutions to the export problem,
Perhaps, but you haven't suggested any.

-Ekr

-- 
[Eric Rescorla                             Terisa Systems, Inc.]
		"Put it in the top slot."

Follow-Ups:
- Re: Proposed Extensions to TLS for OpenPGP
  - From: Steve Schear
- Re: Proposed Extensions to TLS for OpenPGP
  - From: Jeff Williams
- Re: Proposed Extensions to TLS for OpenPGP
  - From: Will Price

References:
- Re: Proposed Extensions to TLS for OpenPGP
  - From: Will Price

Prev by Date: Re: Proposed Extensions to TLS for OpenPGP
Next by Date: Re: Proposed Extensions to TLS for OpenPGP
Previous by thread: Re: Proposed Extensions to TLS for OpenPGP
Next by thread: Re: Proposed Extensions to TLS for OpenPGP
Index(es):
- Date
- Thread