[2351] in cryptography@c2.net mail archive
Re: Rivest's Wheat & Chaff - A crypto alternative
daemon@ATHENA.MIT.EDU (Lucky Green)
Tue Mar 24 18:44:16 1998
Date: Tue, 24 Mar 1998 15:30:36 -0800 (PST)
From: Lucky Green <shamrock@netcom.com>
To: Rick Smith <rsmith@securecomputing.com>
cc: cryptography@c2.net
In-Reply-To: <v03007804b13ddcaeca6a@[172.17.1.150]>
On Tue, 24 Mar 1998, Rick Smith wrote:
> At 12:26 PM -0600 3/24/98, Mike Rosing wrote:
>
> >The beauty is that you don't have to *apply* for an export license
> >because authentication is already exempt. Until the rules get rewritten
> >of course :-)
>
> This is the fly in the ointment. As long as an authentication product does
> *not* use encryption algorithms it does not need an export license.
> Unfortunately, encryption algorithms are a standard part of most strong
> authentication products. So, the products usually need to be reviewed.
This is of course incorrect. It is irrelevant what algorithms are used by
the product. All that matter is the purpose of the product. The
authentication product can contain RSA and 3DES, in source code form, and
will still be exportable.
To give an example, DNSSEC is freely downloadable from the US and has
been deemed outside the scope of US encryption related export regs by both
the State Department and the Commerce Department. And this *despite* the
fact that DNSSEC ships with a full copy of RSAREF in source code form.
See http://www.toad.com/dnssec/pressrel1.txt
US export regs do not reach authentication-only software, nor do they
make any attempt to do so. Regardless of how easy it might be for
"somebody" to turn the authentication-only product into an encryption
product after legal export.
-- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred
