W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: Digest Authentication

From: Ned Freed <NED@innosoft.com>
Date: Sun, 31 Dec 1995 20:56:47 -0800 (PST)
To: Dan Stromberg - OAC-DCS <strombrg@hydra.acs.UCI.EDU>
Cc: ams@terisa.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-security@ns2.rutgers.edu
Message-Id: <01HZGZHW00Z09AMEPU@INNOSOFT.COM>
> Actually, I have one message archived that indicates that MD5 does
> come under ITAR - that all crypto comes under ITAR.

Quoting from ITAR, part 121.1:

121.1 General. The United States Munitions List.

  Category XIII -- Auxiliary Military Equipment

  (1) Cryptographic (including key management) systems, equipment,
      assemblies, modules, integrated circuits, components or software with
      the capability of maintaining secrecy or confidentiality of information
      or information systems, except cryptographic equipment and software as
      follows:

      ... omitted ...

      (vi) Limited to data authentication which calculates a Message
           Authentication Check (MAC) or similar result to ensure that no
           alteration of text has taken place, or authenticate users, but does
           not allow for encryption of data, text or other media oter than that
           needed for authentication.

  ... omitted ...

  (3) Cryptographic systems, equipment, assemblies, modules,
      integrated circuits, components or software.

In other words, the status of authentication-only systems is peculiar. First it
is specifically exempted from one item on the munitions list, but then there's
another item on the list that appears to include it in spite of the earlier
exemption.

So it does appear to be covered, but not by the same item that covers
encryption systems.

> I used to have another message tucked away, saying that authentication
> came under ITAR, but was far easier to get past the review, than is
> encryption.  Yes, there is Much misinformation flying about ITAR - the
> messages I've seen in the past could be wrong, while Alan's is
> correct.

First of all, you have to realize that while ITAR review is a state department
function, it's really done by the NSA. However, the NSA's stated policy is to
allow the export of authentication-only systems. In addition, the procedures
for authentication-only products are much simpler -- basically you go to them
and get a single CJ (commoditites jurisprudence) that covers the entire product
and you're done. With encryption products you may have to get each sale
approved separately, assuming you can get any sort of export permission
whatsoever.

> If MD5 is used for auth, MD5 isn't just MD5 anymore - it's not just
> digests, it's authentication.  Now the US goverment can be kind of
> wacked, but in an ideal world (gov't) they will judge a system based
> on the purpose to which the algorithms are being put - not the purpose
> for which the algorithms were originally intended.

It's quite clear from from the ITAR text that such distinctions are in fact
made. Just because it's a dumb rule doesn't mean the people administering
it don't understand at least some of the issues.

The bottom line is that if you intend to export anything that uses
cryptographic methods, you'd best hire a lawyer familiar with export law and
get approval for it. You'll probably have no problem with authentication.

				Ned
Received on Sunday, 31 December 1995 21:23:10 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:42 EDT