[523] in linux-security and linux-alert archive
Re: Getting security tools into a mainstream distribution
daemon@ATHENA.MIT.EDU (R.E.Wolff@et.tudelft.nl)
Sun Dec 17 19:48:48 1995
To: david_stagner@sys1.ic.ncs.com (Dave Stagner)
Date: Fri, 15 Dec 1995 12:55:18 +0100 (MET)
Cc: Thomas.Koenig@ciw.uni-karlsruhe.de, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <30D04B7A.41C6@ncs.com> from "Dave Stagner" at Dec 14, 95 10:06:18 am
From: R.E.Wolff@et.tudelft.nl
>
> [mod: quotung trimmed --okir]
> Thomas koenig wrote:
[Thomas: I corrected your name.... Not many people would've
recognized it in the form it was.....]
> > What's the best way of getting cryptographic tools such as ssh or
> > pgp by default into a mainstream Linux distribution, given US
> > export law?
> > =
>
> I see one major problem with this... any encryption software based on
> the RSA algorithm (most notably PGP) is subject to patent restrictions
> in the US entirely separate from export restrictions. Free software
> using RSA released in the US must legally be built using the RSAREF
> library (used by the US version of PGP distributed by MIT), while
> RSA-based software used overseas uses a clone of the RSAREF library (I
> can't remember its name offhand). Meanwhile, the RSAREF library itself
> is illegal to use outside the US (at least according to US law!)
How about the following: if someone outside the US makes a version
of the software that through installation of a shared library becomes
cryptographically enabled. This part of the software needs to be
based outside the US, as this type of software is ITAR regulated.
(Yes: Just because you can plug in a Crypto unit, it itself becomes
cryptography, and thus regulated).
What could be implemented should be capable of simultaneously
supporting several different "plug-and-play" modules that handle the
cryptographic side of the stuff. This allows non-us-based sites to
distribute a version that contains a non-RSA module, which can be
augmented with the RSAREF unit inside the US, and the clone outside
the USA.
> So we have two problems here. The first is that it would be illegal to
> export a Linux distribution with strong encryption from the US. The
> second is that it would be illegal to import a European-based
> distribution with strong encryption INTO the US, albiet for different
> reasons.
This is not quite true. It's illegal to import RSA into the USA.
This is different from "strong cryptography". This means that
non-US-based distributions might provide non-RSA strong encryption
by default.
US-based distributions should mark the cryptographic section as "not
for export". Come to think about it: As soon as someone makes a
"strong encryption package" that installs cleanly onto e.g.
"SlackWare 3.0", the "Slackware 3.0" distribution automatically
becomes an ITAR regulated item. Not that Patrick can do anything to
prevent this....
> Another possibility would be to provide a "security" package for
> existing major distributions (i.e. Slackware, Debian) that users could
> download and add themselves. Maintaining matching sets of such a
> package would be easier, but it wouldn't provide the sort of blanket
> security that would be ideal.
In my opinion, the only thing that really works is to equip the major
distributions with encryption by default. With a little care Linux
will provide for a base of encryption capable machines allowing
a quick expansion to other machines.......
Roger.
--
*** War doesn't determine who's right ****** War determines who's left. ***
** EMail: R.E.Wolff@et.tudelft.nl * Tel +31-15-2783643 or +31-15-2137459 **
*** <a href="http://einstein.et.tudelft.nl/~wolff/">my own homepage</a> ***
