NSA, ITAR, NCSA and plug-in hooks.
I just found this tidbit while following Sameer's Apache WWW server link. For those who were wondering if plug-in crypto hooks were still watched out for. One wonders how the ietf folks are managing to promote internet-wide standards that are considered unexportable (Are they? What's the deal on photuris, PEM, ipsec and the rest of them?) Ps. I may be totally wrong, but I remember seeing something posted last month about some ZKIPS scheme in relation with Netscape (zero knowledge proofs with web servers, huh? Confused). ----------------------------------------------------------------------- [IMAGE] WHY WE TOOK PEM OUT OF APACHE On May 17th, 1995, we were asked by a representative of NCSA to remove any copies of NCSA httpd prior to 1.4.1 from our web site. They were mandated by the NSA to inform us that redistribution of pre-1.4.1 code violated the same laws that make distributing Phill Zimmerman's PGP package to other countries illegal. There was no encryption in NCSA's httpd, only hooks to publicly available libraries of PEM code. By the NSA's rules, even hooks to this type of application is illegal. Because Apache is based on NCSA code, and we had basically not touched that part of the software, we were informed that Apache was also illegal to distribute to foreign countries, and advised (not mandated) by NCSA to remove it. So, we removed both the copies of the NCSA httpd we had, and all versions of Apache previous to 0.6.5. The Apache members are strong advocates of the right to digital privacy, so the decision to submit to the NSA and remove the code was not an easy one. Here are some elements in our rationale: * The PEM code in httpd was not widely used. No major site relied upon its use, so its loss is not a blow to encryption and security on the world wide web. There are other efforts designed to give much more flexible security - SSL and SHTTP - so this wasn't a function whose absence would really be missed on a functional level. * We didn't feel like being just a couple more martyrs in a fight being fought very well by many other people. Rather than have the machine that supports the project confiscated or relocated to South Africa, etc., we think there are more efficient methods to address the issue. It kind of sickens us that we had to do it, but so be it. Patches that re-implement the PEM code may be available at a foreign site soon. If it does show up, we'll point to it - that can't be illegal! Finally, here is a compendium of pointers to sites related to encryption and export law. We can't promise this list will be up to date, so send us mail when you see a problem or want a link added. Thanks. * Yahoo - Science: Mathematics: Security and Encryption * EFF Crypto/Privacy/Security Archive * Crypto page at Quadralay * Cryptography Export Control Archives (Cygnus) * ICLU - Your Rights in Cyberspace Brian, brian@hyperreal.com
s1113645@tesla.cc.uottawa.ca writes:
For those who were wondering if plug-in crypto hooks were still watched out for. One wonders how the ietf folks are managing to promote internet-wide standards that are considered unexportable (Are they? What's the deal on photuris, PEM, ipsec and the rest of them?)
WHY WE TOOK PEM OUT OF APACHE
On May 17th, 1995, we were asked by a representative of NCSA to remove any copies of NCSA httpd prior to 1.4.1 from our web site. They were mandated by the NSA to inform us that redistribution of pre-1.4.1 code violated the same laws that make distributing Phill Zimmerman's PGP package to other countries illegal. There was no encryption in NCSA's httpd, only hooks to publicly available libraries of PEM code. By the NSA's rules, even hooks to this type of application is illegal.
Does anyone know the ostensible justification for this? What section of the ITARs do they point to when they say "this is illegal"? I've perused an online copy of ITAR (no, I haven't read all of it -- I have other things I want to do this year :-), but I can't find a section that could be construed to support this contention. -- Jeff
Hello, On Tue, 14 Nov 1995, Jeff Barber wrote:
s1113645@tesla.cc.uottawa.ca writes:
Does anyone know the ostensible justification for this? What section of the ITARs do they point to when they say "this is illegal"? I've perused an online copy of ITAR (no, I haven't read all of it -- I have other things I want to do this year :-), but I can't find a section that could be construed to support this contention.
I scanned through the ITAR, and I agree that there doesn't seem to be anything about hooks that are illegal, but the NSA does have the authority to protect whatever threatens national security. If they are over-stepping their bounds who is going to push it to court to find out, as that is where the decision would have to be made (very expensive). Take care and have fun. James Black
On Tue, 14 Nov 1995 14:49:23 -0500 (EST), you wrote:
Hello,
On Tue, 14 Nov 1995, Jeff Barber wrote:
s1113645@tesla.cc.uottawa.ca writes:
Does anyone know the ostensible justification for this? What section of the ITARs do they point to when they say "this is illegal"? I've perused an online copy of ITAR (no, I haven't read all of it -- I have other things I want to do this year :-), but I can't find a section that could be construed to support this contention.
I scanned through the ITAR, and I agree that there doesn't seem to be anything about hooks that are illegal, but the NSA does have the authority to protect whatever threatens national security. If they are over-stepping their bounds who is going to push it to court to find out, as that is where the decision would have to be made (very expensive). Take care and have fun.
The ITAR talks about crypto components, the government is interpreting this as software that allows plug-in encryption. Dan Weinstein djw@pdcorp.com http://www.earthlink.net/~danjw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche
I move we file a CJR on some suitable software with crypto hooks. Off the top of my head, the most plausible candidate is NCSA httpd v1.3. It's certainly software with function other than crypto. It's also the case that the crypto hooks are nearly unusable. I should know - I got quoted in USA Today for buying three CDs using these hooks ;-). Another possibility that comes to mind is Eudora. A judgement that Eudora is non-exportable is certain to piss a lot of people off. I'm not sure whether that's a good thing or a bad thing. I promise not to file a CJR without the express permission of the owners of the software. Such a CJR would certainly not be frivolous. It is certainly the case that the law is not clear enough for software producers to move with confidence. Further, applications with crypto hooks are much more important to the cpunk cause than are the crypto applications themselves. Face it: PGP is available to all, but very few people actively use it. Its serious usability problems are only a small part of the reason. The real reason is that people are unwilling to integrate with it because they're afraid of the export controls. By the way, I have not heard back regarding my t-shirt CJR. If I have time, I'll call them tomorrow and ask what's up. Raph
James Black writes:
I scanned through the ITAR, and I agree that there doesn't seem to be anything about hooks that are illegal, but the NSA does have the authority to protect whatever threatens national security.
Since when? They aren't a police agency. They have no power to arrest or prosecute, and they don't even (directly) make any decisions on any of this stuff (although they are responsible for the decisions that made). .pm
Jeff Barber writes:
Does anyone know the ostensible justification for this? What section of the ITARs do they point to when they say "this is illegal"? I've perused an online copy of ITAR (no, I haven't read all of it -- I have other things I want to do this year :-), but I can't find a section that could be construed to support this contention.
I think it's 121.1, Category XIII paragraph (b) item (5): "Ancillary equipment specifically designed or modified for paragraphs (b) (1), (2), (3), (4) and (5) of this category;"
For those who were wondering if plug-in crypto hooks were still watched out for. One wonders how the ietf folks are managing to promote internet-wide standards that are considered unexportable (Are they? What's the deal on photuris, PEM, ipsec and the rest of them?)
Does anyone know the ostensible justification for this? What section of the ITARs do they point to when they say "this is illegal"? I've perused an online copy of ITAR (no, I haven't read all of it -- I have other things I want to do this year :-), but I can't find a section that could be construed to support this contention.
Luckily, a lot of cryptographic materials are available outside the United States (see e.g. http://www.cs.hut.fi/crypto for pointers). If the United States chooses to restrict export of IP security products, it simply helps create a flourishing network security and other communications industry in other countries. There are already several implementations of the IP security stuff abroad - including at least one in the former Soviet Union. Tatu
: It kind of sickens us that we had to do it, but so be it. : : Patches that re-implement the PEM code may be available at a foreign : site soon. If it does show up, we'll point to it - that can't be : illegal! I see no reason why they should not be as ``illegal'' as the crypto-with-a-hole sillyness. Pointing to software is a pretty effective way of disclosing it, and disclosing cryptographic software--apparently including holes--to foreign persons without a license is a violation of the ITAR. Of course, the ITAR itself is illegal as it applies to cryptographic software, but I agree that one does not want to be the defendant in a criminal case based on those unconstitutional provisions. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu
participants (9)
-
djw@pdcorp.com -
James Black -
Jeff Barber -
Perry E. Metzger -
Peter D. Junger -
Raph Levien -
s1113645@tesla.cc.uottawa.ca -
Scott Brickner -
Tatu Ylonen