Re: Proposed Extensions to TLS for OpenPGP

[Steve Schear <schear@xxxxxxxx>]

>> At 7:00 PM -0800 12/31/97, EKR wrote:
>Sorry I wasn't clear. The point I was trying to make was
>that Netscape would still have to ship their export products, no?
>Otherwise Fortify doesn't work, right? That said, there will be
>a lot of people who don't bother to upgrade (just like there
>are a lot of Americans who don't bother to get the domestic
>Netscape.) Consequently, we've still got a lot of export
>SSL implementations floating around. Does that seem like a 
>reasonable assessment of the situation to you?

Like markets, in which there will always be some who pay more or less for the same item/service due primarily to their knowledge, there will be those who's communications will be more easily compromised and other's who will not. This is a job for the media and informed Netizens: to educate their brethern about how secure the software they use is against various individuals or organizations which would seek to read their email, and what they can do about it. 

>
>Incidentally, I think this is probably a dangerous course of
>action. The EAR <http://www.bxa.doc.gov/supp6.htm> 7 day review
>criteria explicitly state:
>
>   (iv) The software must not allow the alteration of the data 
>encryption mechanism and its associated key spaces by the user or 
>any other program
>
>It seem that Fortify is a constructive proof that the program
>in question violates this criterion. That doesn't mean it's
>ineligible for CJ completely but I wouldn't want to try to get
>approval for it either.

I'm sure the EAR enforcement folks are well aware of how well or poorly various software they approve for export adhere to regulation.  I'll leave it to the individual corporations and EAR to soft this out.

The point I was trying to make is that from a practical standpoint companies like Netscape need change nothing.  Just keep their code structured the same way and let unrelated 3rd parties "do the dirty work."

--Steve