I've installed the encryption kit on Solaris 8 and Solaris 9, just to
get the ecb_crypt() function, which I need for a secure RPC
application.  I have binaries that are linked against libcrypt_d.so.1.
These won't run on Solaris 10 because that library is missing.
Will there be an encryption kit for Solaris 10, or will the DES
encryption functions be available?

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

mills@cc.umanitoba.ca (Gary Mills) writes:

>I've installed the encryption kit on Solaris 8 and Solaris 9, just to
>get the ecb_crypt() function, which I need for a secure RPC
>application.  I have binaries that are linked against libcrypt_d.so.1.
>These won't run on Solaris 10 because that library is missing.
>Will there be an encryption kit for Solaris 10, or will the DES
>encryption functions be available?

We've noticed that it is not available for download as before;
this is an oversight which should be corrected shortly.

Casper

"Casper H.S. Dik" wrote:
> >I've installed the encryption kit on Solaris 8 and Solaris 9, just to
> >get the ecb_crypt() function, which I need for a secure RPC
> >application.  I have binaries that are linked against libcrypt_d.so.1.
> >These won't run on Solaris 10 because that library is missing.
> >Will there be an encryption kit for Solaris 10, or will the DES
> >encryption functions be available?
> 
> We've noticed that it is not available for download as before;
> this is an oversight which should be corrected shortly.

Can't the encryption kit be finally added to the normal CD set or are
there still some legal issues with that ?

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz@nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 7950090
 (;O/ \/ \O;)

Roland Mainz <roland.mainz@nrubsig.org> writes:

>"Casper H.S. Dik" wrote:
>> >I've installed the encryption kit on Solaris 8 and Solaris 9, just to
>> >get the ecb_crypt() function, which I need for a secure RPC
>> >application.  I have binaries that are linked against libcrypt_d.so.1.
>> >These won't run on Solaris 10 because that library is missing.
>> >Will there be an encryption kit for Solaris 10, or will the DES
>> >encryption functions be available?
>> 
>> We've noticed that it is not available for download as before;
>> this is an oversight which should be corrected shortly.

>Can't the encryption kit be finally added to the normal CD set or are
>there still some legal issues with that ?

There are mostly import restrictions in some countries which disallow
this.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

In article <422D66AF.F0CDB869@nrubsig.org>,
 Roland Mainz <roland.mainz@nrubsig.org> wrote:

> "Casper H.S. Dik" wrote:
> > >I've installed the encryption kit on Solaris 8 and Solaris 9, just to
> > >get the ecb_crypt() function, which I need for a secure RPC
> > >application.  I have binaries that are linked against libcrypt_d.so.1.
> > >These won't run on Solaris 10 because that library is missing.
> > >Will there be an encryption kit for Solaris 10, or will the DES
> > >encryption functions be available?
> > 
> > We've noticed that it is not available for download as before;
> > this is an oversight which should be corrected shortly.
> 
> Can't the encryption kit be finally added to the normal CD set or are
> there still some legal issues with that ?

Are you kidding?  With W (aka shrubby) in office, Homeland Security 
isn't about to give Al-Keida any additional ammo, especially ones the 
NSA, FBI, and CIA can't deal with already.  I'm surprised PGP, Inc. is 
still open for business.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...

Michael Vilain <vilain@spamcop.net> writes:

> Are you kidding?  With W (aka shrubby) in office, Homeland Security
> isn't about to give Al-Keida any additional ammo, especially ones
> the NSA, FBI, and CIA can't deal with already.  I'm surprised PGP,
> Inc. is still open for business.

Umm, it's software, not weapons grade plutonium! How hard would it be
for anyone to get a hold of it (the software, not the plutonium)?

These restrictions are so stupid that it makes the mind boggle.

You are worried about criminals (by defintion, "people who break the
law") getting hold of a bunch of bits which cannot be exported by
law. I mean come on!

Is North Korea saying to themselves "Let's download 256-bit
encryption. No! Wait! It's illegal to do so because of export
restrictions. Let's start a nuclear weapons program instead."

Hello?!

-- 
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well 
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI

Michael Vilain wrote:
> > > >I've installed the encryption kit on Solaris 8 and Solaris 9, just to
> > > >get the ecb_crypt() function, which I need for a secure RPC
> > > >application.  I have binaries that are linked against libcrypt_d.so.1.
> > > >These won't run on Solaris 10 because that library is missing.
> > > >Will there be an encryption kit for Solaris 10, or will the DES
> > > >encryption functions be available?
> > >
> > > We've noticed that it is not available for download as before;
> > > this is an oversight which should be corrected shortly.
> >
> > Can't the encryption kit be finally added to the normal CD set or are
> > there still some legal issues with that ?
> 
> Are you kidding?

Nope. For example SuSE Linux ships with the same type of encrytion by
default and you can even download their DVD/CDROM ISO from their ftp
servers(+mirrors) without needing any passwords or registration.

> With W (aka shrubby) in office, Homeland Security
> isn't about to give Al-Keida any additional ammo, especially ones the
> NSA, FBI, and CIA can't deal with already.  I'm surprised PGP, Inc. is
> still open for business.

In that case /etc/shadow needs removed and /etc/passwd MUST use only
plaintest passwords (which are emailed twice a day to nsa.gov). Anyone
who replies to this article with objections will be send to
gunatanamo[1] !! ... =:-)

[1]=How is this spelled correctly ?

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz@nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 7950090
 (;O/ \/ \O;)

Roland Mainz <roland.mainz@nrubsig.org> writes:

> In that case /etc/shadow needs removed and /etc/passwd MUST use only
> plaintest passwords (which are emailed twice a day to nsa.gov). Anyone
> who replies to this article with objections will be send to
> gunatanamo[1] !! ... =:-)
>
> [1]=How is this spelled correctly ?

It's Guantanamo Bay. Check e.g. http://www.nsgtmo.navy.mil/

HTH, Dragan

-- 
Dragan Cvetkovic, 

To be or not to be is true. G. Boole      No it isn't.  L. E. J. Brouwer

!!! Sender/From address is bogus. Use reply-to one !!!

On Wed, 09 Mar 2005 20:51:14 +0100, Roland Mainz wrote:

> 
> Nope. For example SuSE Linux ships with the same type of encrytion by
> default and you can even download their DVD/CDROM ISO from their ftp
> servers(+mirrors) without needing any passwords or registration.

The problem exists at the end-user's site.  Some nations, notably France,
prohibit private use of crypto.  A Frenchman violates the law by opening
an SSH session across the Internet or by sending a PGP/GPG encrypted email
IIUC.

> In that case /etc/shadow needs removed and /etc/passwd MUST use only
> plaintest passwords (which are emailed twice a day to nsa.gov). Anyone
> who replies to this article with objections will be send to
> gunatanamo[1] !! ... =:-)
> 
> [1]=How is this spelled correctly ?

Guantanamo.  The US leases the land from Cuba.

Dave Uhring <daveuhring@yahoo.com> writes:

> The problem exists at the end-user's site.  Some nations, notably France,
> prohibit private use of crypto.  A Frenchman violates the law by opening
> an SSH session across the Internet or by sending a PGP/GPG encrypted email
> IIUC.

Is that still true? I thought they changed the law some time ago ...

Dragan

-- 
Dragan Cvetkovic, 

To be or not to be is true. G. Boole      No it isn't.  L. E. J. Brouwer

!!! Sender/From address is bogus. Use reply-to one !!!

Roland Mainz <roland.mainz@nrubsig.org> writes:

>Nope. For example SuSE Linux ships with the same type of encrytion by
>default and you can even download their DVD/CDROM ISO from their ftp
>servers(+mirrors) without needing any passwords or registration.

What type of encryption and from where do they ship?  By default,
Solaris ships with 128 bits encryption and only longer keys are
restrictedand then mostly because of import reasons.  We're not allowed
to ship anything to parties which aren't allowed encryption at all,
so that's a non-issue.

Being a US company, the rules are a bit stricter for US than others.

>> With W (aka shrubby) in office, Homeland Security
>> isn't about to give Al-Keida any additional ammo, especially ones the
>> NSA, FBI, and CIA can't deal with already.  I'm surprised PGP, Inc. is
>> still open for business.

>In that case /etc/shadow needs removed and /etc/passwd MUST use only
>plaintest passwords (which are emailed twice a day to nsa.gov). Anyone
>who replies to this article with objections will be send to
>gunatanamo[1] !! ... =:-)

I think the argument put forward that if we don't allow
encryption we have two choices:

	1) no e-commerce
	2) collapse of economy and trust in the economy because
	   all electronic money is stolen.

and that is a pretty convincing argument.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

On Wed, 09 Mar 2005 15:09:16 -0500, Dragan Cvetkovic wrote:

> Dave Uhring <daveuhring@yahoo.com> writes:
> 
>> The problem exists at the end-user's site.  Some nations, notably France,
>> prohibit private use of crypto.  A Frenchman violates the law by opening
>> an SSH session across the Internet or by sending a PGP/GPG encrypted email
>> IIUC.
> 
> Is that still true? I thought they changed the law some time ago ...

I really don't know; the French government may have acquired some sanity
but I doubt it.  Hell, it's hard enough to keep up with US law to keep
from being sent to Guantanamo myself.

"Casper H.S. Dik" wrote:
> >Nope. For example SuSE Linux ships with the same type of encrytion by
> >default and you can even download their DVD/CDROM ISO from their ftp
> >servers(+mirrors) without needing any passwords or registration.
> 
> What type of encryption and from where do they ship?

They ship at least fully-functional (e.g. unrestricted in functionality)
Kerberos support and IPsec with 256bit Blowfish... there is likely more
but I never checked any further details...

> By default,
> Solaris ships with 128 bits encryption and only longer keys are
> restrictedand then mostly because of import reasons.

What about the 640bit/1024bit dh supported for NIS+ ? :)

> We're not allowed
> to ship anything to parties which aren't allowed encryption at all,
> so that's a non-issue.
> 
> Being a US company, the rules are a bit stricter for US than others.

SuSE is now part of Novell...

> >> With W (aka shrubby) in office, Homeland Security
> >> isn't about to give Al-Keida any additional ammo, especially ones the
> >> NSA, FBI, and CIA can't deal with already.  I'm surprised PGP, Inc. is
> >> still open for business.
> 
> >In that case /etc/shadow needs removed and /etc/passwd MUST use only
> >plaintest passwords (which are emailed twice a day to nsa.gov). Anyone
> >who replies to this article with objections will be send to
> >gunatanamo[1] !! ... =:-)
> 
> I think the argument put forward that if we don't allow
> encryption we have two choices:
> 
>         1) no e-commerce
>         2) collapse of economy and trust in the economy because
>            all electronic money is stolen.
> 
> and that is a pretty convincing argument.

You did see the smiley after the comment with getting /etc/shadow
removed ? :)

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz@nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 7950090
 (;O/ \/ \O;)

Dave Uhring <daveuhring@yahoo.com> writes:

> On Wed, 09 Mar 2005 15:09:16 -0500, Dragan Cvetkovic wrote:
>
>> Dave Uhring <daveuhring@yahoo.com> writes:
>> 
>>> The problem exists at the end-user's site.  Some nations, notably France,
>>> prohibit private use of crypto.  A Frenchman violates the law by opening
>>> an SSH session across the Internet or by sending a PGP/GPG encrypted email
>>> IIUC.
>> 
>> Is that still true? I thought they changed the law some time ago ...
>
> I really don't know; the French government may have acquired some sanity
> but I doubt it.  Hell, it's hard enough to keep up with US law to keep
> from being sent to Guantanamo myself.
>

Apparently, the did, back in 1999. Here is the quote from
http://groups.google.ca/groups?selm=comp-privacy14.4.4%40cs.uwm.edu 

      French officials this week announced dramatic liberalization of its
      cryptography laws and that it will allow Gallic computer users to
      work with any strength of encryption technology, Meryem Marzouki (a
      GILC Member) said.

And also, http://www.tbtf.com/resource/fr128-human.txt

From "France Eases Cryptol Restrictions" in TBTF for 1999-01-26,
http://tbtf.com/archive/1999-01-26.html#s06

Human translation of part of a French government announcement [1],
posted to the Cryptography mailing list.

[1] http://www.premier-ministre.gouv.fr/PM/D190199.HTM

- - - - - -

The third legislative initiative concerns cryptography. With
the development of electronic espionage instruments,
cryptography appears as an essential instrument of privacy
protection.

We had, one year ago, made a first step towards
liberalization of cryptographic instruments. At that time I
had announced that we were going to make one further. The
Government has, since then, heard the players, questioned
the experts and consulted its international partners. We
have today become convinced that the legislation of 1996 is
no longer suitable. In fact, it strongly restricts the usage
of cryptography in France, on the other hand, for all that,
without allowing the public powers to fight effectively
against criminal actions of which encryption could
facilitate the dissimulation.

In order to change the orientation of our legislation, the
Government has thus retained the following orientations,
that I have discussed with the President of the Republic:

- To offer a complete freedom of use of cryptography

- To remove the compulsory nature or third-party escrow of
encryption keys

- To supplement the current legal framework by the
introduction of obligations, together with penal sanctions,
concerning the handing-over to the legal authorities, when
they require it, of the cleartext version of encrypted
documents. At the same time, the technical skills of the
public authorities will be significantly improved.

Changing the law will take many months. The Govenment has
decided that the main obstacles holding up the citizens from
protecting the confidentiality of their communications and
the development of electronic commerce be lifted without
waiting. Thus, waiting for the announced legislative
changes, the Government has decided to raise the the the
threshold of cryptology the use of which is free, from 40
bit to 128 bit, considered by the experts a level suitable
to ensure durably a very high security.


-- 
Dragan Cvetkovic, 

To be or not to be is true. G. Boole      No it isn't.  L. E. J. Brouwer

!!! Sender/From address is bogus. Use reply-to one !!!

On Wed, 9 Mar 2005, Roland Mainz wrote:

> They ship at least fully-functional (e.g. unrestricted in functionality)
> Kerberos support and IPsec with 256bit Blowfish... there is likely more
> but I never checked any further details...

Right, but isn't (or wasn't) SuSE a European country?  If so, US laws
and export regs don't apply.

> > Being a US company, the rules are a bit stricter for US than others.
>
> SuSE is now part of Novell...

Grandfather clause?  Or perhaps being a wholly owned foreign subsidiary
helps?

-- 
Rich Teer, SCNA, SCSA

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-group.com/rich

On Wed, 09 Mar 2005 15:53:37 -0500, Dragan Cvetkovic wrote:

> waiting. Thus, waiting for the announced legislative
> changes, the Government has decided to raise the the the
> threshold of cryptology the use of which is free, from 40
> bit to 128 bit, considered by the experts a level suitable
> to ensure durably a very high security.

OK, so they gained a bit of sanity.  But the SSH and PGP keys are much
longer than 128 bits, so my previous statement appears to still be true.

Dave Uhring <daveuhring@yahoo.com> writes:

> On Wed, 09 Mar 2005 15:53:37 -0500, Dragan Cvetkovic wrote:
>
>> waiting. Thus, waiting for the announced legislative
>> changes, the Government has decided to raise the the the
>> threshold of cryptology the use of which is free, from 40
>> bit to 128 bit, considered by the experts a level suitable
>> to ensure durably a very high security.
>
> OK, so they gained a bit of sanity.  But the SSH and PGP keys are much
> longer than 128 bits, so my previous statement appears to still be true.

Nope. If you read the whole text, change from 40 to 128 bits was an
intermediate change (with an immediate effect), until the whole legislation
is being passed (procedurally, I suppose).

Dragan

-- 
Dragan Cvetkovic, 

To be or not to be is true. G. Boole      No it isn't.  L. E. J. Brouwer

!!! Sender/From address is bogus. Use reply-to one !!!

On Wed, 09 Mar 2005 20:54:50 +0000, Rich Teer wrote:

> On Wed, 9 Mar 2005, Roland Mainz wrote:
> 
>> They ship at least fully-functional (e.g. unrestricted in functionality)
>> Kerberos support and IPsec with 256bit Blowfish... there is likely more
>> but I never checked any further details...
> 
> Right, but isn't (or wasn't) SuSE a European country?  If so, US laws
> and export regs don't apply.

That is one of the primary reasons that OpenBSD is based in Canada.

http://openbsd.org/crypto.html

>> > Being a US company, the rules are a bit stricter for US than others.
>>
>> SuSE is now part of Novell...
> 
> Grandfather clause?  Or perhaps being a wholly owned foreign subsidiary
> helps?

I'm no lawyer but a quick read of the US Munitions List indicates that it
no longer restricts the export of cryptographic software which is not
directly associated with military equipment.

http://pmdtc.org/reference.htm    Part 121

Rich Teer <rich.teer@rite-group.com> writes in comp.unix.solaris:
|On Wed, 9 Mar 2005, Roland Mainz wrote:
|
|> They ship at least fully-functional (e.g. unrestricted in functionality)
|> Kerberos support and IPsec with 256bit Blowfish... there is likely more
|> but I never checked any further details...
|
|Right, but isn't (or wasn't) SuSE a European country?  

No, I'm pretty sure it's always only been a company, not it's own
nation-state.   8-)   It was based in Germany until last year when
Novell bought it.

|If so, US laws and export regs don't apply.

They had US offices in the past, so I think they might have, but the
crypto/export regs are too complex for me too understand them fully.
Fortunately Sun has a whole group of people who do nothing but deal
with all the different import & export rules around the world to worry
about this (well, it's unfortunate that such a group is required, but
that's a necessity of a modern company with customers around the world).

-- 
________________________________________________________________________
Alan Coopersmith * alanc@alum.calberkeley.org * Alan.Coopersmith@Sun.COM
 http://www.csua.berkeley.edu/~alanc/   *   http://blogs.sun.com/alanc/
  Working for, but definitely not speaking for, Sun Microsystems, Inc.

On Wed, 09 Mar 2005 16:08:09 -0500, Dragan Cvetkovic wrote:

> Dave Uhring <daveuhring@yahoo.com> writes:
> 
>> On Wed, 09 Mar 2005 15:53:37 -0500, Dragan Cvetkovic wrote:
>>
>>> waiting. Thus, waiting for the announced legislative
>>> changes, the Government has decided to raise the the the
>>> threshold of cryptology the use of which is free, from 40
>>> bit to 128 bit, considered by the experts a level suitable
>>> to ensure durably a very high security.
>>
>> OK, so they gained a bit of sanity.  But the SSH and PGP keys are much
>> longer than 128 bits, so my previous statement appears to still be true.
> 
> Nope. If you read the whole text, change from 40 to 128 bits was an
> intermediate change (with an immediate effect), until the whole legislation
> is being passed (procedurally, I suppose).

All I see there is "proposed legislation", nothing to the effect that the
French legislature had actually enacted that legislation.

Roland Mainz <roland.mainz@nrubsig.org> writes:

>> By default,
>> Solaris ships with 128 bits encryption and only longer keys are
>> restrictedand then mostly because of import reasons.

>What about the 640bit/1024bit dh supported for NIS+ ? :)

That's assymetric, those bits are "shorter".

>> We're not allowed
>> to ship anything to parties which aren't allowed encryption at all,
>> so that's a non-issue.
>> 
>> Being a US company, the rules are a bit stricter for US than others.

>SuSE is now part of Novell...

But have they been indoctrinated yet with the corporate culture?
They may be breaking the law, but I'm not sure.

The encryption supplement should be available for download
as it was for S9.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Dragan Cvetkovic <me@privacy.net> writes:

>Apparently, the did, back in 1999. Here is the quote from
>http://groups.google.ca/groups?selm=comp-privacy14.4.4%40cs.uwm.edu 

>      French officials this week announced dramatic liberalization of its
>      cryptography laws and that it will allow Gallic computer users to
>      work with any strength of encryption technology, Meryem Marzouki (a
>      GILC Member) said.

Is there an actual law and date for the law being passed?

There are still import restrictions in Israel and, I think, Russia,
that make it difficult to go over 128 bits.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Rich Teer <rich.teer@rite-group.com> writes:

>On Wed, 9 Mar 2005, Roland Mainz wrote:

>> They ship at least fully-functional (e.g. unrestricted in functionality)
>> Kerberos support and IPsec with 256bit Blowfish... there is likely more
>> but I never checked any further details...

>Right, but isn't (or wasn't) SuSE a European country?  If so, US laws
>and export regs don't apply.

>> > Being a US company, the rules are a bit stricter for US than others.
>>
>> SuSE is now part of Novell...

>Grandfather clause?  Or perhaps being a wholly owned foreign subsidiary
>helps?

No.  When Sun did a reimplementation of SKIP through a Russian company
(clean-room style), there was hell to pay.  Even if you play by the
rules but are seen evading them, the US government can be very, uhm,
heavy handed.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Dave Uhring <daveuhring@yahoo.com> writes:

>On Wed, 09 Mar 2005 15:53:37 -0500, Dragan Cvetkovic wrote:

>> waiting. Thus, waiting for the announced legislative
>> changes, the Government has decided to raise the the the
>> threshold of cryptology the use of which is free, from 40
>> bit to 128 bit, considered by the experts a level suitable
>> to ensure durably a very high security.

>OK, so they gained a bit of sanity.  But the SSH and PGP keys are much
>longer than 128 bits, so my previous statement appears to still be true.

There's a big difference between the computational strength of
symmetric and assymetric ciphers.  512 bits of RSA are crackable;
128 bits of AES are not.

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

On Thu, 10 Mar 2005 00:08:10 +0000, Casper H. S. Dik wrote:

> Dave Uhring <daveuhring@yahoo.com> writes:
> 
>>On Wed, 09 Mar 2005 15:53:37 -0500, Dragan Cvetkovic wrote:
> 
>>> waiting. Thus, waiting for the announced legislative
>>> changes, the Government has decided to raise the the the
>>> threshold of cryptology the use of which is free, from 40
>>> bit to 128 bit, considered by the experts a level suitable
>>> to ensure durably a very high security.
> 
>>OK, so they gained a bit of sanity.  But the SSH and PGP keys are much
>>longer than 128 bits, so my previous statement appears to still be true.
> 
> There's a big difference between the computational strength of
> symmetric and assymetric ciphers.  512 bits of RSA are crackable;
> 128 bits of AES are not.

Perhaps, but Dragan's quote does not specify the encryption algorithm.

Dave Uhring <daveuhring@yahoo.com> writes:

>On Thu, 10 Mar 2005 00:08:10 +0000, Casper H. S. Dik wrote:

>> Dave Uhring <daveuhring@yahoo.com> writes:
>> 
>>>On Wed, 09 Mar 2005 15:53:37 -0500, Dragan Cvetkovic wrote:
>> 
>>>> waiting. Thus, waiting for the announced legislative
>>>> changes, the Government has decided to raise the the the
>>>> threshold of cryptology the use of which is free, from 40
>>>> bit to 128 bit, considered by the experts a level suitable
>>>> to ensure durably a very high security.
>> 
>>>OK, so they gained a bit of sanity.  But the SSH and PGP keys are much
>>>longer than 128 bits, so my previous statement appears to still be true.
>> 
>> There's a big difference between the computational strength of
>> symmetric and assymetric ciphers.  512 bits of RSA are crackable;
>> 128 bits of AES are not.

>Perhaps, but Dragan's quote does not specify the encryption algorithm.

Yes, but the "much longer keys" likely only refer to the RSA/DH keys

Casper
-- 
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

On Thu, 10 Mar 2005 08:38:20 +0000, Casper H. S. Dik wrote:

> Dave Uhring <daveuhring@yahoo.com> writes:
> 
>>On Thu, 10 Mar 2005 00:08:10 +0000, Casper H. S. Dik wrote:
> 
>>> Dave Uhring <daveuhring@yahoo.com> writes:

>>>>OK, so they gained a bit of sanity.  But the SSH and PGP keys are much
>>>>longer than 128 bits, so my previous statement appears to still be true.
>>> 
>>> There's a big difference between the computational strength of
>>> symmetric and assymetric ciphers.  512 bits of RSA are crackable;
>>> 128 bits of AES are not.
> 
>>Perhaps, but Dragan's quote does not specify the encryption algorithm.
> 
> Yes, but the "much longer keys" likely only refer to the RSA/DH keys

OK, then without the proposed legislation having actually been enacted, in
what way is the private use of SSH and PGP legal in that nation?

In the previous article, Dave Uhring <daveuhring@yahoo.com> wrote:
> Yes, but the "much longer keys" likely only refer to the RSA/DH keys
> 
> OK, then without the proposed legislation having actually been
> enacted, in what way is the private use of SSH and PGP legal in that
> nation?

I recently consulted to a client who wanted to install ssh on NetBSD /
Apache servers in France.  If you read enough French to grasp the
basic idea at

    http://www.ssi.gouv.fr/fr/reglementation/liste_cat/f22.html

you will see that F-Secure SSH and OpenSSL are OK for use without
special approval.  Also, the page at

    http://www.ssi.gouv.fr/fr/reglementation/liste_cat/index.html

instructs one that just because a product isn't explicitly listed
doesn't mean it's tightly regulated, and that you can mail
w e b m e s t r e . dcssi@sgdn.pm.gouv.(fr) [pardon the anti-
spammer obfuscation] for clarification about a specific product.

The bottom line in the case on which I consulted -- this is NOT legal
advice and you should go pay for competent counsel if that's what you
need -- is that my client's French counterparts concluded that they
were comfortable installing OpenSSH, and did so.  No one's gone to
jail yet.

There used to be a 128-bit version of SSH floating around specifically
written for use in France, but I haven't heard about it in a few years.

There's an ssh group (I don't follow it these days) where you are
likely to find people far more knowledgable about this than I am.
-- 
  _+_ From the catapult of |If anyone disagrees with any statement I make, I
_|70|___:)=}- J.D. Baldwin |am quite prepared not only to retract it, but also
\      /  baldwin@panix.com|to deny under oath that I ever made it. -T. Lehrer
***~~~~-----------------------------------------------------------------------

On Thu, 10 Mar 2005 14:18:50 +0000, J.D. Baldwin wrote:

> I recently consulted to a client who wanted to install ssh on NetBSD /
> Apache servers in France.  If you read enough French to grasp the
> basic idea at
> 
>     http://www.ssi.gouv.fr/fr/reglementation/liste_cat/f22.html
> 
> you will see that F-Secure SSH and OpenSSL are OK for use without
> special approval.  Also, the page at
> 
>     http://www.ssi.gouv.fr/fr/reglementation/liste_cat/index.html
> 
> instructs one that just because a product isn't explicitly listed
> doesn't mean it's tightly regulated, and that you can mail
> w e b m e s t r e . dcssi@sgdn.pm.gouv.(fr) [pardon the anti-
> spammer obfuscation] for clarification about a specific product.

Sorry, I can't read French at all.

> The bottom line in the case on which I consulted -- this is NOT legal
> advice and you should go pay for competent counsel if that's what you
> need -- is that my client's French counterparts concluded that they
> were comfortable installing OpenSSH, and did so.  No one's gone to
> jail yet.

OK, then either the more liberal legislation was enacted or they are just
ignoring their law.

"Casper H.S. Dik" wrote:
[snip]
> >SuSE is now part of Novell...
> 
> But have they been indoctrinated yet with the corporate culture?

The answer is "yes" and "no". Parts of SuSE seems to be swallowed,
others may be swallowed in the future and others be treated differently.
At least their bugzilla is now hosted under the novell.com domain and
most SuSE people are posting using novell.com email addresses...

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz@nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 7950090
 (;O/ \/ \O;)

Dave Uhring wrote:
> The problem exists at the end-user's site.  Some nations, notably France,
> prohibit private use of crypto.  A Frenchman violates the law by opening
> an SSH session across the Internet or by sending a PGP/GPG encrypted email
> IIUC.

It's not true anymore, crypto use is completely allowed since a law that passed 
last June[1], whatever the key length or algorithm.
There are some mild restrictions on import/export, some declaration is needed, 
but essentially, crypto is liberalized.

Also, I've talked once to a lawyer about it, and he didn't know about any crypto 
prosecution ever done by the government.

The original crypto restrictions seemed to originate from just before the 2nd 
World War, in 1939.

Laurent

[1]
LOI n� 2004-575 du 21 juin 2004 pour la confiance dans l'�conomie num�rique
Article 30
I. - L'utilisation des moyens de cryptologie est libre.
Lit. transl.: "The use of cryptology means is free."

http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=ECOX0200175L

Dave Uhring wrote:
> OK, then either the more liberal legislation was enacted or they are just
> ignoring their law.

Actually, you could get products allowed, whatever their crypto strength, and 
that was done for OpenSSL, since they had no trouble providing the source.
In the list pointed by the link, it's said it was done by the FSF France, so I 
guess that all products based on OpenSSL were actually legal since 1999, without 
restriction on key length.

It was not the case for other products such as Firewall-1 VPN, for which it 
seems Checkpoint refused to disclose their proprietary algorithm to the 
government, and was thus limited to 3DES (though I wouldn't trust an unknown 
algorithm, so I didn't mind).

In any case, that list is now history, since as I said, use of crypto is now free.

Laurent

Casper H.S. Dik wrote:
> That's assymetric, those bits are "shorter".

But the legislators didn't care about that, AFAICT. 128 was 128, whatever the 
algorithm. Yes, it was dumb. No, legislators here are not required to understand 
the stuff they're enacting laws on. Not sure about other countries.

Laurent

On Fri, 11 Mar 2005 21:26:59 +0100, Laurent Blume wrote:

> Dave Uhring wrote:
>> The problem exists at the end-user's site.  Some nations, notably France,
>> prohibit private use of crypto.  A Frenchman violates the law by opening
>> an SSH session across the Internet or by sending a PGP/GPG encrypted email
>> IIUC.
> 
> It's not true anymore, crypto use is completely allowed since a law that passed 
> last June[1], whatever the key length or algorithm.

That answers the question about whether the proposed legislation of
01/1999 was ever enacted.  I was unaware of that.

Dave Uhring wrote:
> That answers the question about whether the proposed legislation of
> 01/1999 was ever enacted.  I was unaware of that.

Ah, but it had been in 1999, too, and was already considered a great progress at 
the time :-)

And last year's law was another enhancement, which brings us to a reasonable 
law, I believe.

I refreshed my memory: basically, all that's needed to import/export crypto that 
is not used only for authentication or integrity check is declaring it prior to 
doing it. It may not be needed at all for some kinds of crypto, which is 
supposed to be defined separately (but I've not found *where* it's defined, or 
if it has been at all yet).

Anyway, the main point here is that it's only needed to *declare* it. You don't 
have to get an authorization to do import/export.
You also have to make available the specification and the source code to the 
government, if they want to see it. Not too difficult.

Honestly, though, I don't know how the bureaucratic part of that work well, if 
the forms to fill are easy to find, and such.

Laurent

On Fri, 11 Mar 2005 22:22:09 +0100, Laurent Blume wrote:

> Dave Uhring wrote:
>> That answers the question about whether the proposed legislation of
>> 01/1999 was ever enacted.  I was unaware of that.
> 
> Ah, but it had been in 1999, too, and was already considered a great progress at 
> the time :-)
> 
> And last year's law was another enhancement, which brings us to a reasonable 
> law, I believe.

That is a far better situation than I had believed.  I had not taken note
of any changes to the laws.

Dave Uhring wrote:
> That is a far better situation than I had believed.  I had not taken note
> of any changes to the laws.

I'm spreading the word :-)

Too bad that this law had other less good articles that made quite infamous in 
the IT field, like placing responsibility on ISPs when there they host "illicit" 
content, failing to completely forbid spam (or rather, legalizing some spam), 
and doubling the maximal sentences on *very* vaguely defined computer crimes. 
Lots of unrelated stuff.

Ah well, the drafts were *much* worse, and at least, we got crypto...

Laurent

On Fri, 11 Mar 2005 23:58:14 +0100, Laurent Blume wrote:

> Too bad that this law had other less good articles that made quite infamous in 
> the IT field, like placing responsibility on ISPs when there they host "illicit" 
> content, failing to completely forbid spam (or rather, legalizing some spam), 
> and doubling the maximal sentences on *very* vaguely defined computer crimes. 
> Lots of unrelated stuff.

That is the consequence of having politicians making laws :-)