[14806] in cryptography@c2.net mail archive
Open Source Embedded SSL - Export Questions
daemon@ATHENA.MIT.EDU (J Harper)
Tue Nov 25 19:44:32 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Reply-To: "J Harper" <jsec@peersec.com>
From: "J Harper" <jsec@peersec.com>
To: <cryptography@metzdowd.com>
Date: Mon, 24 Nov 2003 18:06:33 -0800
Hi All,
We've implemented a small version of SSL that we plan to release as open =
source by year's end. I've seen some discussion on this group =
indicating that this would be useful in the embedded environments, given =
the current landscape of larger implementations such as OpenSSL =
(Crypto++, etc). We developed this ourselves (using some of the crypto =
routines in Tom's libtomcrypt) as part of our Web services based device =
management software because we needed to keep our own footprint small, =
and I imagine there are others looking to do the same.
Once our code is released, we welcome feedback in terms of additional =
requirements, gotchas, etc. (and if you want to jump in now, that's fine =
too). But before we can release, we need to understand the export =
issues (we're a US based company). An overview of what we're developed =
for the first release:
SSLv3 protocol implementation
Simple ASN.1 parsing
Cipher suites:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
We're not looking for official legal advice, just some pointers to =
current online resources of how to go about registering our product in =
the US. I've seen posts that for SSL implementations you "just need to =
send a letter to the government", but haven't come across an official =
government checklist and address. We may be able to weaken the code =
down using the export ciphers, but I doubt end users will be interested =
in that level of encryption. Plus, if we do have to limit key lengths, =
it seems a bit arbitrary with open source code, since users can simply =
change a few lines of code and have full strength crypto. Are there any =
special provisions for source release (short of getting a tattoo, =
singing an mp3 or sending a model rocket over to Mexico - kidding, =
kidding)?
We'd appreciate feedback or pointers to documentation on the steps =
required for government registration and an approximate timeframe for =
the process. On a different, but similar legal note, what current =
patent/trademark issues have people run across with the algorithms =
mentioned above? RSA patents expired a few years ago and our ARC4 =
implementation is not trademarked as far as I understand (although most =
books on the subject seem a bit squirrelly). Open source crypto =
libraries include implementations of these and other disputed algorithms =
including DSS and ECC, so I'm wondering how they handled the situation.
Thanks,
J Harper
PeerSec Networks
http://www.peersec.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
