[3501] in cryptography@c2.net mail archive
Re: Netscape Wants MS to Weaken IE's SSL/RSA Handshake for Export
daemon@ATHENA.MIT.EDU (John Gilmore)
Fri Oct 16 17:28:19 1998
To: EKR <ekr@rtfm.com>
cc: Vin McLellan <vin@shore.net>, cryptography@c2.net, gnu@toad.com
Cc: paul@cryptography.com
In-reply-to: <kj67dke4ne.fsf@speedy.rtfm.com>
Date: Fri, 16 Oct 1998 13:20:25 -0700
From: John Gilmore <gnu@toad.com>
The export "relaxation" announced a few weeks ago -- permitting DES
export, etc -- also relaxes the asymmetric key sizes to 1024. See,
for example, http://www.bxa.doc.gov/Encryption/EncrypolicyUpdate.htm.
So, existing SSL use of 1024-bit keys is probably not a practical
problem. My guess is that even though the actual regulations haven't
been formally amended yet, the Commerce Dept wouldn't actually come
after anyone for this. If a product was already approved for export
by Commerce and NSA, as Netscape's and Microsoft's exportable products
were, Commerce would have to send them a letter revoking their export
license for it to be a real problem.
As I have found out to my dismay, we don't have "rule of law" when it
comes to crypto export. It doesn't really matter what the printed
regulations say -- what matters is what the Commerce Dept says in your
particular case. You can export things that the regs say you can't --
or you can be denied permission to export things the regs say you can
-- and in either case there is no practical way to appeal.
John
