W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1995

Re: Digest Authentication

From: Dan Stromberg - OAC-DCS <strombrg@hydra.acs.UCI.EDU>
Date: Sun, 31 Dec 1995 13:09:22 -0800
Message-Id: <199512312109.NAA19361@bingy.acs.uci.edu>
To: "Allan M. Schiffman" <ams@terisa.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-security@ns2.rutgers.edu

Actually, I have one message archived that indicates that MD5 does
come under ITAR - that all crypto comes under ITAR.

I used to have another message tucked away, saying that authentication
came under ITAR, but was far easier to get past the review, than is
encryption.  Yes, there is Much misinformation flying about ITAR - the
messages I've seen in the past could be wrong, while Alan's is
correct.

If MD5 is used for auth, MD5 isn't just MD5 anymore - it's not just
digests, it's authentication.  Now the US goverment can be kind of
wacked, but in an ideal world (gov't) they will judge a system based
on the purpose to which the algorithms are being put - not the purpose
for which the algorithms were originally intended.

Note that it's also easy to turn MD5 into an encryption system, not
solely into an authentication algorithm.  This could explain why some
have said that MD5 Is subject to ITAR.  Again, however, since the
intended purpose is only auth, it should not be subjected to
encryption-style scrutiny, when reviewed for export.

"Snefru" is widely available, tho probably not widely used, and uses
MD5 for authentication.  The US goverment does not appear to have gone
after the author.  I wrote a system using MD5 for auth, inspired by
snefru, but I have no intention of allowing it off campus, at this
point.  :(

All in all, ITAR just needs to die, or at least be thoroughly
clarified and weakened.  ITAR quite simply shackles US producers of
cryptography (and hence, cryptography-utilizing software), while
leaving numerous other countries running unfettered.  Many times, I've
considered writing cryptographic systems to give away on the net, and
concluded I should allow someone outside the US to do it, so everyone
could have access to it.  Investors in crypto almost have to feel
similarly (tho I personally don't care about commercial software as
much as the body of free software out there).

Please prove me wrong.  I wanna be wrong on this one.

In message <v02130500ad0b76285e77@[205.226.39.192]>you write:
>On Sat, 30 Dec 1995, Andrew Cameron wrote:

>
>>Will this be available to people outside the US, or will the ITAR
>>regulations mean that only those in the US can legally use it.
>
>Putting Albert Lunde's point more emphatically: since Digest Access
>Authentication does not provide confidentiality (doesn't use encryption)
>it doesn't fall under ITAR at all.
>
>-Allan
>
>

Dan Stromberg - OAC/DCS                         strombrg@uci.edu
Received on Sunday, 31 December 1995 13:12:41 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:38 EDT