<div dir="ltr"><br>
On Sat, 23 Aug 2014 11:04:43 -0400, Sandy Harris <<a href="mailto:sandyinchina@gmail.com">sandyinchina@gmail.com</a>> wrote:<br><div id=":na" class="">
<br>
On Tue, Aug 19, 2014 at 5:43 PM, Dave Horsfall <<a href="mailto:dave@horsfall.org">dave@horsfall.org</a>> wrote:<br>
<br>
>> OK, call me a newbie (which basically I am), but I'm baffled by something<br>
>> that's popped up in a couple of threads here, ...<br>
>><br>
>> It then got relaxed, apparently because the "enemy" already have strong<br>
>> crypto so it was pointless.<br>
<br>
> I'd say the main reason for the relaxation in the US was the Bernstein case<br>> Dan Bernstein (grad student at Berkeley, later prof at U Illinois), supported<br>
> by the EFF, sued the US government arguing that, since code can be<br>
> read and discussed by humans, it qualifies legally as speech, so export<br>
> restrictions on source code are an unconstitutional restriction on free<br>
> speech. He won in the first court & again on appeal. There is an archive<br>
> of case documents with links to related cases:<br>
<a href="http://cr.yp.to/export.html" target="_blank">> http://cr.yp.to/export.html</a><br>
<br>>
At that point, the government changed their regulations -- moved the<br>
> controls from the State dep't to Commerce and allowed export of<br>
> "public domain" code, provided the Commerce dep't is notified. As<br>
> I see it, they were scrambling to salvage anything they could and<br>
> desperately trying to avoid having the Bernstein case make it to<br>
> the Supreme Court and perhaps overturn the regulations completely.<br>
<br>>
The EFF says the requirement for notification is still unconstitutional,<br>>
but I have not heard of any court case over that.<br>
</div><div class="gmail_extra"><br></div><div class="gmail_extra">"Success has many fathers, while failure is an orphan."<br><br></div><div class="gmail_extra">There were a lot of factors. <br><br></div><div class="gmail_extra">
Another one, which I was personally involved in, was the demonstration that 40 and <br></div><div class="gmail_extra">56 bit bit encryption was insecure.<br><br>Members of the 'cypherpunks' mailing list organized a distributed brute force of a <br>
40 bit key in 1995. It took about 300 PCs, and three weeks.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">This was important, because it gave the lie to government claims that 40 bits <br>was 'good enough'. All of a sudden, the international market dropped out from<br>
under US software exporters of secured products. This threw market forces<br>to the side of stronger keys - 40 bit crypto became a laughingstock, and its<br>use clearly did not meet due diligence.<br><br></div><div class="gmail_extra">
The USG response, within a few months, was to up the limit to 56 bits - <br>single DES. The RSA Secret Key Challenges were the response. Single <br>DES was first brute forced over several months in early 1997, and by 2000<br>
</div><div class="gmail_extra">this was done in under 24 hours.<br><br></div><div class="gmail_extra">Soon after, the export restrictions were eased. <br><br></div><div class="gmail_extra">The challenges were hardly the only reason, but they provided an easy to<br>
understand and impossible to deny proof that software engineers and<br></div><div class="gmail_extra">purchasers could put in front of their managers, and which corporate<br>management could present to the government.<br>
<br></div><div class="gmail_extra">pt<br><br> </div></div>