18 Apr 2011 23:23
Re: [ietf-privacy] wrt tcpcrypt and obscrypt
Dean Willis <dean.willis <at> softarmor.com>
2011-04-18 21:23:49 GMT
2011-04-18 21:23:49 GMT
On Apr 13, 2011, at 3:59 AM, bmanning <at> vacation.karoshi.com wrote:
On Tue, Apr 12, 2011 at 11:58:14PM -0500, Dean Willis wrote:On Apr 12, 2011, at 12:16 PM, bmanning <at> vacation.karoshi.com wrote:
I don't think it is a trivial matter to have the IETF working on confidentiality & privacy by mandating strong
encryption in Internet (global) standards. I suspect the intersection of national laws and technical standards
is going to be a difficult road to walk, esp if there is a desire for a global standard.
We should perhaps focus on publishing technically correct standards with as few security flaws and weaknesses as we can manage. Trying to decide whether the specification can be legally implemented in Jurisdiction X, Y, Z, and so on is an impossibly large problem.
no problem with that... however - at least in the US and as a US national, I don't think I can
(with out filing forms and getting permission -ahead- of time) work on confidentiality/privacy,
techniques in an open forum. and I am pretty sure that other sovreigns have the same issues.
Sue you can. You just can't export executable code for a certain subset of applications without prior EAR approval. I'm not a lawyer, but I have coordinated export for a company that was shipping SIP proxies with TLS support for signaling. Actually, it was more like cleaning up the situation for a company that had been accidentally exporting such function without having done all the needed paperwork, but it's clearly doable.
Even in the US, a fairly broad range of applications in unrestricted. This includes a cryptographic applications that do not have generic data-object encryption as their primary function, including crypto for copy protection, digital rights restriction, and arguably (having argued this with apparent success for SIP/TLS) protection of signaling to/from a service platform.
Even exporting products containing the code for general purpose encryption of the sorts used in most IETF specs is a fairly straightforward reporting exercise. If it weren't, you wouldn't see anybody running an Apache web server, and you wouldn't be able to download the J2EE SDK from Oracle//Sun/whatever owns it today.
Yes, Phil Z may have been arrested over PGP, but that was arguably as much an intellectual-property snit with RSA as it was an export control issue. And as you may recall, the case eventually faded away, though things were a bit tense for awhile.
its not just the code, its illegal to share work on some of these topics in some venues.
this is a topic that -REALLY- needs to have the ISOC/IETF legal team look at closely before
we engineers go off half-cocked and get ourselves, our employers, and the IETF into international
The IETF has quite effectively published dozens of RFCs for SSL, TLS, PKIX, DTLS, SRTP/DTLS, and now ZRTP. We've also published lots of higher-level specs that reference these at a "MUST implement" level. It's been looked at fairly closely. It seems unlikely that we'd be faulted for pushing the specs a little further to add "MUST NOT implement a null cipher" requirement.
So, Kanuckistan or other locales might restrain their citizens from participation. They probably don't let them leave the country to attend IETF meetings either, so who cares what their rules are? We're not going to force them to develop the capacity to engage in international business; if a nation really wants to be a stagnant backwater with a starving citizenry and intellectually inbred leadership they can just choose not to play along.
_______________________________________________ obscurity-interest mailing list obscurity-interest <at> ietf.org https://www.ietf.org/mailman/listinfo/obscurity-interest