httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: export restrictions & mirroring Apache at NCSA
Date Fri, 19 May 1995 12:50:06 GMT
   From: cliffs@organic.com (Cliff Skolnick)
   Date: Thu, 18 May 1995 19:53:28 PST
   Precedence: bulk
   Reply-To: new-httpd@hyperreal.com

   Actaully renameing hooks is ok.  I just talked with a bunch of people, one
   of which is being chase by the govornment for publishing PGP.  The
   suggestion was to call it a compression hook, which then could be
   granted a waiver.  This would not be quick, but would work.  On the
   other hand some think that ITAR does not cover items in the public
   domain, but that has never been tested in court just yet.

   Cliff

Well, "calling it a compression hook", would presumably involve *at
least* the following:

*) changing the names of the magic MIME types to words that don't
   involve the ugly strings "pem" and "pgp".

*) getting the magic keyword which is fed to the encryptor and
   decryptor programs from somewhere other than the Authorization:
   line of the original request (and, incidentally, getting the
   required "PEM" and "PGP" keywords out of there as well).

*) explaining what that magic keyword is good for anyway, if it
   *isn't* specifically supposed to identify the public key for
   decrypting the request and encrypting the response which go inside
   the cryptographic enveolopes.

I really don't see how to do all of that, and still stay compatible
with the existing code --- which implements a form of crypto-enhanced
HTTP which has the blessing of no standards body, and has hardly taken
the world by storm in any case.  

Furthermore, trying to find some way to continue to distribute the
current code internationally plays into the hands of the NSA in at
least the following respect: it makes it look as if *we* believe their
underlying assumption that there is some magic crypto expertise hidden
within these shores (apologies to the Brits) which won't be exported
unless someone carries the code across national borders.  The FreeBSD
approach, in which the source code for anything crypto-capable does
*not* cross national borders, is much more effective in exposing that
fantasy for what it is than it would be to take the existing (and
little used) crypto hooks from the NCSA server, file off the serial
numbers, and then dare the NSA to prove that they are in fact what we
knew them to be all along.

It's not that I think these regulations are great and good --- I just
think that if we do anything that might be seen as challenging them,
we should think hard about the form of the challenge before we embark
on it.  It would be unfortunate if thoroughly nontechnical politicians
(i.e., the people we'd need to win over if we were ever going to
change anything) wound up seeing us as anarchistic goons intent on
nothing more than stretching the law for the sake of our own fun, or
saw our actions as providing evidence for the NSA's case.  Being
thoroughly, even ostentatiously compliant with the extant regulations
may be the *only* way to convince elected anybody that we are
responsible citizens with legitimate arguments which deserve to be
heard.

rst

Mime
View raw message