RE: Clarifying controversial criteria

Blake Ramsdell (BlakeR@deming.com)
Thu, 14 Mar 1996 03:37:00 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Blake Ramsdell: "RE: Clarifying controversial criteria"

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.  Contact your
mail administrator for information about upgrading your reader to a version
that supports MIME.

------ =_NextPart_000_01BB1157.81CF3D10
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On Wednesday, March 13, 1996 5:29 PM, Brad
Knowles[SMTP:brad@azathoth.ops.aol.com] wrote:
>>
>>    I have to side with Raph on this one.  It doesn't matter (to the
>>user) *why* something is "insecure", it just matters that the minimum
>>interoperable version is insecure.  The user doesn't care about
>>standards, they care about products.

That's kind of like saying "since Word can save text files which don't
retain any of the formatting, then I can't exchange documents that retain
the formatting with other people that use Word", which is, of course,
incorrect.  You simply select Word format as your output format.  Likewise,
you simply pick the algorithm type that matches your recipient, and if that
recipient can't take more than 40-bit encryption, then that's it.

>>    This is part of why I said "The *HELL* with ITAR" at the workshop.

Preach on, brother Brad!  I have one of those fist and lightning bolt
pictures on my home page also...

We can bitch about ITAR all we want, but if I want to ship a product with
encryption for export, then I have to follow the rules.

>>    Note that PGP and the products based on it are both interoperable
>>and secure by Raph's definition.  And this is a very important
>>distinction.  If the S/MIME, MOSS, or MSP implementors want the same,
>>then I think they need to explore how they could have versions
>>available outside the U.S.  that are "secure" and interoperable with
>>the versions available inside the U.S.  Even if the U.S. and non-U.S.
>>versions are available from two unrelated companies (or any two other
>>sources), so long as they are both secure and interoperable, the
>>criteria would be met.

Well, I guess we could accidentally let the source code leave the country,
and get into a big fight with the government and RSA...  No, wait, that's
been done already.

Certainly someone in another country can implement S/MIME using DES
EDE3-CBC, so it's just a matter of if/when critical mass is achieved.  I'm
not even sure that we can say PGP has any true foreign implementations,
since the foreign implementation that I'm aware of is 1. For non-commercial
use only, and 2. Based on source code that shouldn't have left the country
to begin with.  Has there been a foreign company that has done a cleanroom
version of PGP for commercial use?

Blake

------ =_NextPart_000_01BB1157.81CF3D10--

Previous message: Blake Ramsdell: "RE: Clarifying controversial criteria"