[521] in linux-security and linux-alert archive
Re: Getting security tools into a mainstream distribution
daemon@ATHENA.MIT.EDU (Dave Stagner)
Fri Dec 15 03:37:52 1995
Date: Thu, 14 Dec 1995 10:06:18 -0600
From: Dave Stagner <david_stagner@sys1.ic.ncs.com>
To: Thomas =?ISO-8859-1?Q?K=F6nig?= <Thomas.Koenig@ciw.uni-karlsruhe.de>
Cc: linux-security@tarsier.cv.nrao.edu
[mod: quotung trimmed --okir]
Thomas =3D?ISO-8859-1?Q?K=3DF6nig?=3D wrote:
> What's the best way of getting cryptographic tools such as ssh or
> pgp by default into a mainstream Linux distribution, given US
> export law?
> =
I see one major problem with this... any encryption software based on
the RSA algorithm (most notably PGP) is subject to patent restrictions
in the US entirely separate from export restrictions. Free software
using RSA released in the US must legally be built using the RSAREF
library (used by the US version of PGP distributed by MIT), while
RSA-based software used overseas uses a clone of the RSAREF library (I
can't remember its name offhand). Meanwhile, the RSAREF library itself
is illegal to use outside the US (at least according to US law!)
So we have two problems here. The first is that it would be illegal to
export a Linux distribution with strong encryption from the US. The
second is that it would be illegal to import a European-based
distribution with strong encryption INTO the US, albiet for different
reasons.
The only answer I can see offhand is to maintain parallel development of
a distribution, one for the US and one for the civilized world. The
only difference would be the use of RSAREF in the US version and the
RSAREF clone for the non-US version. And while technically legal, such
an approach could lead to legal harassment for the maintainers in the
US, either from the US govt or from Public Key Partners. =
Another possibility would be to provide a "security" package for
existing major distributions (i.e. Slackware, Debian) that users could
download and add themselves. Maintaining matching sets of such a
package would be easier, but it wouldn't provide the sort of blanket
security that would be ideal.
And one last, unrelated note... any security package for Linux
distributions should PLEASE include Tripwire or some other checksum
utility! I just have horrible visions of someone sneaking a hacked
binary of ssh or PGP into a standard distribution...
-- =
* David Stagner david_stagner@ncs.com
* National Computer Systems vox 319 354 9200 ext 6884
* Operations Division fax 319 339 6555
I disclaim my employer and I'm sure they'd disclaim me too.
