Re: OpenSSL and Mac OS and export fun
On Sat, 20 Nov 1999, Wilfredo Sanchez wrote: Dr Stephen Henson [EMAIL PROTECTED]: | I'm no expert but what you are suggesting sounds like "crypto with a | hole" which has been asked about before and people have been told its | illegal. I'm aware of this rumor, though I've never one heard it said by someone who had actually discussed it with the government. In any case, I had this in mind when I was talking to the NSA and explicitly brought is up multiple time to make sure they understood what I was doing, and in all cases they said OK. Can you get it in writing? It is difficult to get telephone conversations into court. Each party contrives to remember them differently. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Please, no more software products offering a "richer experience"! I have indigestion of the brain already. Give me a more ascetic experience. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and Mac OS and export fun
Rich Salz wrote: To the best of my recollection, the following is a direct quote from one of the NSA folks: ... we call that crypto-with-a-hole and we don't allow that to be exported Hmm ... thought it was the DoC that wrote the export rules. :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and Mac OS and export fun
Rich, Was I there? ;) Greg Stark - Original Message - From: "Rich Salz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 20, 1999 11:56 PM Subject: Re: OpenSSL and Mac OS and export fun | I'm no expert but what you are suggesting sounds like "crypto with a | hole" which has been asked about before and people have been told its | illegal. I'm aware of this rumor, though I've never one heard it said by someone who had actually discussed it with the government. Okay. While I was an employee of the Open Software Foundation (now known as The Open Group) I participated in several discussions with the NSA (and, sometimes, a large Unix vendor) to talk about source and binary export of DCE, DCE/PKI projects, and DCE-Web. To the best of my recollection, the following is a direct quote from one of the NSA folks: ... we call that crypto-with-a-hole and we don't allow that to be exported I remember the names of many present at one or more of those meetings and could give them were I subpoena'd. :) /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and Mac OS and export fun
With Rich and Greg offering their recollections, there should be no need for further confirmation, but I too have had similar conversations with NSA/BXA reps. I suggest, however, that this too might possibly change with the new update in the BXA regs, expected soon. _Vin At 08:40 AM 11/21/99 -0500, Gregory Stark wrote: Rich, Was I there? ;) Greg Stark - Original Message - From: "Rich Salz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 20, 1999 11:56 PM Subject: Re: OpenSSL and Mac OS and export fun | I'm no expert but what you are suggesting sounds like "crypto with a | hole" which has been asked about before and people have been told its | illegal. I'm aware of this rumor, though I've never one heard it said by someone who had actually discussed it with the government. Okay. While I was an employee of the Open Software Foundation (now known as The Open Group) I participated in several discussions with the NSA (and, sometimes, a large Unix vendor) to talk about source and binary export of DCE, DCE/PKI projects, and DCE-Web. To the best of my recollection, the following is a direct quote from one of the NSA folks: ... we call that crypto-with-a-hole and we don't allow that to be exported I remember the names of many present at one or more of those meetings and could give them were I subpoena'd. :) /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and Mac OS and export fun
Fred wrote (talking about NSA): 56-bit DES is no problem. 56-bit restricted RSA is no problem. 3DES is not allowed. In general, they seemed to imply 56 bits of anything is no problem, but I'll have to double check that. Probably if there were such as thing as 128-bit rot13 is would not be allowed. They seem preoccupied with bits. You seem to mean that 3DES is not harder to crack than any 56-bit encryption. I know that DES cipher texts have been been cracked but do you have example where 3DES was cracked? Nicolas Roumiantzeff. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and Mac OS and export fun
Wilfredo Sanchez wrote: I need some help with making a US-export happy OpenSSL. So I had a phone call with the NSA here and asked them what I can get away with. Note that the conversation was specific to Apple, and not necessarily applicable to my fellow Americans, but I doubt that we are suoer special. 56-bit DES is no problem. 56-bit restricted RSA is no problem. 56-bit RSA? Surely not! Did you mean 1024 bit? 3DES is not allowed. In general, they seemed to imply 56 bits of anything is no problem, but I'll have to double check that. Probably if there were such as thing as 128-bit rot13 is would not be allowed. They seem preoccupied with bits. I'm waiting on the actually approval to come to my desk to be sure about this area; our lawyers have it. RSA patents aren't a problem for us. The plan is for OpenSSL to be a dynamic shared library. Therefore, if you manage to get along of a stronger version and drop it in, all binaries should be able to take advantage of the stronger crypto. Yes, I brought this up in the phone call, and it's OK. It must, however, be necessary to replace (or edit) the library binary in order to enable stronger encryption. But I need to make OpenSSL comply with the above bit limits and whatnot. Is this: a) Doable? Easy? How do I proceed? b) Still going to give me a (moderately) useful SSL? Depends what you want to do. If you only want to do SSL, then just strip out the ciphersuites you don't want to allow. Note that you'll have to enable the "new" ciphersuites to get 1024/56, and further note that they don't work properly coz they get ordered incorrectly in the negotiation - someone was working on that, but I've been megabusy lately and lost track of the status - where's that at? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and Mac OS and export fun
Lutz Jaenicke wrote: On Fri, Nov 19, 1999 at 10:07:28AM +, Ben Laurie wrote: Depends what you want to do. If you only want to do SSL, then just strip out the ciphersuites you don't want to allow. Note that you'll have to enable the "new" ciphersuites to get 1024/56, and further note that they don't work properly coz they get ordered incorrectly in the negotiation - someone was working on that, but I've been megabusy lately and lost track of the status - where's that at? You should have it in your mailbox since Nov 11 :-) I can send you another copy if you cannot find it. Oops. Was it sent to the list? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL and Mac OS and export fun
I need some help with making a US-export happy OpenSSL. So I had a phone call with the NSA here and asked them what I can get away with. Note that the conversation was specific to Apple, and not necessarily applicable to my fellow Americans, but I doubt that we are suoer special. 56-bit DES is no problem. 56-bit restricted RSA is no problem. 3DES is not allowed. In general, they seemed to imply 56 bits of anything is no problem, but I'll have to double check that. Probably if there were such as thing as 128-bit rot13 is would not be allowed. They seem preoccupied with bits. I'm waiting on the actually approval to come to my desk to be sure about this area; our lawyers have it. RSA patents aren't a problem for us. The plan is for OpenSSL to be a dynamic shared library. Therefore, if you manage to get along of a stronger version and drop it in, all binaries should be able to take advantage of the stronger crypto. Yes, I brought this up in the phone call, and it's OK. It must, however, be necessary to replace (or edit) the library binary in order to enable stronger encryption. But I need to make OpenSSL comply with the above bit limits and whatnot. Is this: a) Doable? Easy? How do I proceed? b) Still going to give me a (moderately) useful SSL? -Fred -- Wilfredo Sanchez, [EMAIL PROTECTED] Apple Computer, Inc., Core Operating Systems / BSD Technical Lead, Darwin Project 1 Infinite Loop, 302-4K, Cupertino, CA 95014 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]