|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: "Peter Trei" <trei@process.com> To: cryptography@c2.net, risks@csl.sri.com, mctaylor@mta.ca Date: Thu, 22 May 1997 14:09:03 -6 Reply-to: trei@process.com > Michael C Taylor wrote: > > | >From http://www.msnbc.com/news/75617.asp by the Associated Press. > | > | In summary (by mctaylor): > | Sun has partnered with Elvis+ Co., a Russian company, to by-pass export > | controls in order to "test the waters." > | The products which were developed by Elvis+ use SKIP, a Sun > | security protocol, but Sun did not provide technical assistances to > | Elvis+. The interesting part is that Sun will sell Elvis+'s Secure Virtual > | Private Network for MS-Windows 3.11, 95 and NT under the name SunScreen > | SKIP E+ in August. > | > | The risks here include can Sun trust a Russian company which Sun provided > | no technical assistance to, therefore I assume no quality control testing. > | It is one thing to bundle a paint program written by another company, but > | to resell a security product with your name on it without doing your own > | quality testing and cryptanalysis is very risky IMHO. Could Sun > | Microsystems find a backdoor that was included at the _request_ of a > | foreign government? I won't even start with the risks of legal action.. > | > | -- > | Michael C. Taylor <mctaylor@mta.ca> <http://www.mta.ca/~mctaylor/> I don't really see what the problem is. Sun will (I assume) get source code from Russia, and is perfectly capable of evaluating that, to make sure it meets Sun specifications. I assume that the process runs something like this: They get the source code from the Russians outside of the US, and send a copy home. There, it can be evaluated to ensure it meets the specifications. If it does, the copy which never crossed the US border can be compiled outside the US, and then sold worldwide. The only bumps in the road are: 1. They have to manage the flow of source and compiled code to make sure that no copy ever crosses the US border in an outwards direction. 2. Feedback from the evaluation team (if it is composed of Americans or is in the US) cannot be very specific - "You failed to meet requirement 4.32.7 of the contract" might be legal, while "You forgot to zeroize the password buffer at line 253" might not. Peter Trei trei@process.com
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |