current-users: Re: quickly find what applications are affected by RSA

Subject: Re: quickly find what applications are affected by RSA
To: Frederick Bruckman <fb@enteract.com>
From: Jim Wise <jwise@draga.com>
List: current-users
Date: 09/08/2000 12:19:53
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 8 Sep 2000, Frederick Bruckman wrote:

>> 	- non-US people should use non-RSAREF RSA source code
>> 
>> 	there still are other problems with crypto software:
>> 	- export/import regulation in non-US countries
>
>This affects some NetBSD users, certainly, but does not affect NetBSD.

No, it affects NetBSD, in that the NetBSD Project has set a clear policy
of providing a mechanism for building the system without strong
cryptography.  This will continue to be necessary as long as many
countries, including countries often considered `reasonable' (e.g.
France until they repeal the laws they've stated that they will repeal,
Great Britain if they pass the laws they've stated that they will pass)
have stringent restrictions on strong crypto.

If the project wants to change that policy, we can discuss that -- to
say that it is rendered unnecessary by the new public domain status of
RSA is not correct, however.

>> 	- other patented algorithms, like IDEA/RC4/RC5
>
>I wasn't aware that the algorithms were patented. Are you saying that
>the openssl distribution in the NetBSD sources violates some patent?

IDEA is pattented in some places.  The _name_ RC4 is trademarked, so the
algorithm can be used if it is called something else (IIRC, OpenSSL
calls it `arcfour').

>> 	if we take the safer side, we should change almost nothing but
>> 	RSAREF/non-RSAREF issue.
>
>It's a fact that we will be distributing secret key encryption in the
>base NetBSD-1.5. Who is served by restricting pkgsrc? There's a
>proposal on the table in tech-pkg to change the handling of crypto
>packages, which would pave the way to offer binaries for NetBSD-1.5.
>Please see
>
>http://mail-index.netbsd.org/tech-pkg/2000/09/07/0005.html

Strong cryptography in the NetBSD base sources are explicitly separated
into two directories -- src/crypto and src/sys/crypto.  By default, the
system is built with strong cryptography included, as it should
be.  However, for the reasons discussed above and elsewhere in this
thread, we have included a `knob', the MKCRYPTO variable, so that users
in more repressive countries can choose not to download those two
directories, and can build the system without icky bad dangerous strong
crypto.

Likewise with pkgsrc, as we discussed, no one is `restricting' pkgsrc,
but their needs to be a knob...

- -- 
				Jim Wise
				jwise@draga.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE5uRGv2JhG4/qi8rQRAnjqAKCKYj/jdq37FNNVz4g0RLyBLCIqhACfTRGw
PJKGWjdss0HKtAWzMnxmAkg=
=6Lqm
-----END PGP SIGNATURE-----