Re: ITP seahorse
Raul Miller <moth@debian.org> writes:
> If the hook supports, say, an 8 bit key, that means it's not a restricted
> piece of munitions, right? But if a hook supports, say, a 448 bit key,
> that means it's a restricted piece of munitions, right? But what about
> a hook that doesn't care about keys?
<SNIP>
> Ok, nothing illegal about that. Replace hash() with a 16 or 32 bit
> checksum, and you're fine, regardless of the size of your key. But,
> replace hash with md5sum (use Digest::MD5 'md5'), and all of a sudden
> you've got a 128 bit algorithm you can't export. But that didn't make
> the stupid xor encryption routine illegal.
<SNIP>
A common misconception.
Under the old (1999 and earlier) encryption export controls, _all_
encryption had to apply for an export license - even the stupid "xor
with some fixed byte" method. _However_, RSA inc. had reached an
agreement with the US government allowing for an automatic export
license for encryption technology _using_RSA_ with a key length of
less than n bits, where n too small to provide real security.
My father's company once released a little one-off utility internally
that required a password which was stored XOR'ed with FF. The company
in question is multinational, and they had to apply for an export
license to send it to their offices in Europe. (The license was
granted very quickly, but they still had to apply)
Also, it is my belief that secure hashes were not in and of themselves
considered to be cryptographic technologies requiring export
permission, but I'm uncertain on that detail.
Reply to: