Re: Re: PGP/PEM security hooks removed from NCSA httpd (fwd)

[Brian Behlendorf <br...@organic.com>]

My response follows.

---------- Forwarded message ----------
Date: Wed, 24 May 1995 20:19:11 -0500
From:owner-www-buyinfo@allegra.att.com
To: www-buyinfo@allegra.att.com
Subject: Re: Re: PGP/PEM security hooks removed from NCSA httpd

>From: adam cain <ad...@uxa.cso.uiuc.edu>
>Subject: Re: Re: PGP/PEM security hooks removed from NCSA httpd
>To: tedwards@src.umd.edu (Thomas Grant Edwards)
>Date: Wed, 24 May 1995 13:22:34 -0500 (CDT)
>Cc: cypherpunks@toad.com
>Mime-Version: 1.0
>Sender: owner-cypherpunks@toad.com
>Precedence: bulk
>
>> Could we hear the real details of the visit though?  It isn't everyday
>> the NSA descends out of nowhere and encourages you to weaken software.
>> For instance, how did they find out about the PGP/PEM hooks?  What did
>> they say when you mentioned that you would create an export-only version?
>
>Ok, ok.  A couple friendly folks from NSA's export division stopped by while
>they were in town on other business.  I don't recall their exact department
>name, but it seems they advise the State Dept. on how crypto is used in
>various software items.
>
>They wanted to know more about how XMosaic/httpd use PGP and PEM in the
>current implementation, so I gave them a demo and as many details about the
>source code as was relevant.  This has been available for over a year now,
>though I don't believe people are actually USING these features, as the
>implementation is rather crude (it involves scripts with the PGP passphrase
>in the clear, for starters).
>
>I think they found out about the hooks a year or so ago, and supposedly they
>sent NCSA a letter suggesting that software with encryption hooks is export
>controlled.  This letter was not received.  More recently, NCSA has been
>talking with NSA about a number of related issues (export controls, how they
>can use Fortezza with Mosaic, etc.).  So this wasn't exactly a swoop.
>More like the left hand not coordinating with the right hand.
>
>Anyway, I'll be firing up an "export controlled" ftp server, similar to how
>MIT distributes PGP.  The NSA folks indicated that this would probably be
>fine for distributing crypto-aware Web software.  We'll have to talk to other
>folks in the Compliance office of the State Dept, to get the official word.
>
>None of this was terribly surprising, just mildly annoying.  Especially since
>there seems to be a tacit understanding that such regulations are ineffective
>and only serve to annoy people and slow down organizations trying to produce
>secure software.
>
>As for an export version of such software...you probably know that if the
>crypto is used exclusively for authentication purposes, everything is
>hunky-dorey.  As long as such software cannot be modified to support bulk
>encryption, it can be on the free server (not export controlled).
>You probably also know that if the crypto is castrated (40-bit RC2/4) and
>unmodifiable, then software supporting bulk-encryption it can be exported.
>We're now trying to figure out how feasible it is to produce such export
>version.  Things become particularly tricky when you note that NCSA likes
>to give out software in source form for the Unix platform (client and server).
>
>Oh, and I almost forgot....James Earl Jones wasn't one of the NSA visitors,
>much to my dismay.
>                                                                             :)
>
>Remember, these are all my impressions and misunderstandings here, not some
>sort of official NCSA word.
>
>Adam
>a-cain@uiuc.edu
>acain@ncsa.uiuc.edu
>

-----------------
Robert Hettinga (rah@shipwright.com)
Shipwright Development Corporation, 44 Farquhar Street, Boston, MA 02131
USA (617) 323-7923
"There is no difference between someone who eats too little and sees Heaven
and someone who drinks too much and sees snakes." -- Bertrand Russell
>>>>Phree Phil: Email: zldf@clark.net  http://www.netresponse.com/zldf <<<<<