- From: Dan Stromberg - OAC-DCS <strombrg@hydra.acs.UCI.EDU>
- Date: Sun, 31 Dec 1995 13:09:22 -0800
- To: "Allan M. Schiffman" <ams@terisa.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-security@ns2.rutgers.edu
Actually, I have one message archived that indicates that MD5 does come under ITAR - that all crypto comes under ITAR. I used to have another message tucked away, saying that authentication came under ITAR, but was far easier to get past the review, than is encryption. Yes, there is Much misinformation flying about ITAR - the messages I've seen in the past could be wrong, while Alan's is correct. If MD5 is used for auth, MD5 isn't just MD5 anymore - it's not just digests, it's authentication. Now the US goverment can be kind of wacked, but in an ideal world (gov't) they will judge a system based on the purpose to which the algorithms are being put - not the purpose for which the algorithms were originally intended. Note that it's also easy to turn MD5 into an encryption system, not solely into an authentication algorithm. This could explain why some have said that MD5 Is subject to ITAR. Again, however, since the intended purpose is only auth, it should not be subjected to encryption-style scrutiny, when reviewed for export. "Snefru" is widely available, tho probably not widely used, and uses MD5 for authentication. The US goverment does not appear to have gone after the author. I wrote a system using MD5 for auth, inspired by snefru, but I have no intention of allowing it off campus, at this point. :( All in all, ITAR just needs to die, or at least be thoroughly clarified and weakened. ITAR quite simply shackles US producers of cryptography (and hence, cryptography-utilizing software), while leaving numerous other countries running unfettered. Many times, I've considered writing cryptographic systems to give away on the net, and concluded I should allow someone outside the US to do it, so everyone could have access to it. Investors in crypto almost have to feel similarly (tho I personally don't care about commercial software as much as the body of free software out there). Please prove me wrong. I wanna be wrong on this one. In message <v02130500ad0b76285e77@[205.226.39.192]>you write: >On Sat, 30 Dec 1995, Andrew Cameron wrote: > >>Will this be available to people outside the US, or will the ITAR >>regulations mean that only those in the US can legally use it. > >Putting Albert Lunde's point more emphatically: since Digest Access >Authentication does not provide confidentiality (doesn't use encryption) >it doesn't fall under ITAR at all. > >-Allan > > Dan Stromberg - OAC/DCS strombrg@uci.edu
Received on Sunday, 31 December 1995 13:12:41 UTC