[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed Extensions to TLS for OpenPGP

To: ietf-tls@xxxxxxxxxxxxx
Subject: Re: Proposed Extensions to TLS for OpenPGP
From: Jeff Williams <jwkckid1@xxxxxxxxxxxxx>
Date: Wed, 31 Dec 1997 09:48:03 +0000
Cc: ietf-open-pgp@xxxxxxx
Organization: IEG. INC.
References: <>
Sender: owner-ietf-open-pgp@xxxxxxx

Eric and all,

EKR wrote:
> 
> Will, I'm not particularly interested in debating protocol
> level crypto policy here. However, the crypto export laws
> are reality for most people here, and I find your attempt to
> imply that they're easily worked around fairly disingenuous.

  True enough.  I agree There are no easy work arounds.  But 
workarounds are really not the issue. US export and ITAR policy
is.  You are correct however this is not a good forum to discuss
policy in that context.
 
> Will Price <wprice@xxxxxxx> writes:
> > At Pretty Good Privacy, we developed a reliable system which will be
> > continued by Network Associates.  The outline: write source code for
> > product, print source code in book, distribute book using normal means.
> > Now the process becomes somewhat foggier.  In any case, printed source code
> > for product gets exported -- note that this is of course legal.
> > Individuals outside the US scan source code.  A legally exported binary
> > version of the product then becomes available internationally.  Copyrights,
> > trademarks, and licenses protect the original vendor and revenue can be
> > made off the exported product.  This is only one highly functional system
> > for getting this done.
> It's hard to believe that this is really going to work for many
> real programs.

  No not many, correct but some.  And this is part of the problem to
which I believe Will's point is trying to make here.

> Have you seen the size of Netscape lately. Have
> you noticed how often Netscape ships new versions? (I'm not
> trying to pick on Netscape here. IE has similar characteristics.
> There are plenty of other big programs but web browsers hae
> particularly fast release cycles.)

  Exactly what I believe Will was trying to make here.
> 
> > insecure.  Such stories reduce user faith in everybody's security products.
> > The only solution is public code review.
> It's not obvious this makes much of a difference. Note that Sendmail
> source code has been widely available since the beginning.
> 
> > Some companies will undoubtedly never bring themselves to implementing one
> > of the above systems and will thus be relegated to snake oil security
> > internationally until the laws in the US change.

> I think it's unreasonable to say that 40 bit crypto is "snake oil".
> It's exactly as strong as advertised. There's no secret about the
> situation.

  No, not snake oil, but for most serious applications nearly worthless.
> 
> > Let's not infect our protocols with such politics.  TLS 1.0 is a done deal
> > as far as I'm concerned.  SSL3 had export algorithms, so TLS1 does too,
> > fine.  There are now many better solutions to the export problem,
> Perhaps, but you haven't suggested any.
> 
> -Ekr
> 
> --
> [Eric Rescorla                             Terisa Systems, Inc.]
>                 "Put it in the top slot."

Regards,
-- 
Jeffrey A. Williams
DIR. Internet Network Eng/SR. Java Development Eng.
Information Eng. Group. IEG. INC. (Soon to be INEG. INC) Stay tunned! 
E-Mail jwkckid1@xxxxxxxxxxxxx

Wisdom:   "One who knows others is wise,
           one who knows himself is enlightened."
           Lao Tzu

References:
- Re: Proposed Extensions to TLS for OpenPGP
  - From: EKR

Prev by Date: Re: section 4.3
Next by Date: Re: section 4.3
Previous by thread: Re: Proposed Extensions to TLS for OpenPGP
Next by thread: Re: Proposed Extensions to TLS for OpenPGP
Index(es):
- Date
- Thread