Open Source Embedded SSL - Export Questions

J Harper jsec at peersec.com
Mon Nov 24 21:06:33 EST 2003 

Hi All,

We've implemented a small version of SSL that we plan to release as open source by year's end.  I've seen some discussion on this group indicating that this would be useful in the embedded environments, given the current landscape of larger implementations such as OpenSSL (Crypto++, etc).  We developed this ourselves (using some of the crypto routines in Tom's libtomcrypt) as part of our Web services based device management software because we needed to keep our own footprint small, and I imagine there are others looking to do the same.

Once our code is released, we welcome feedback in terms of additional requirements, gotchas, etc. (and if you want to jump in now, that's fine too).  But before we can release, we need to understand the export issues (we're a US based company).  An overview of what we're developed for the first release:

SSLv3 protocol implementation
Simple ASN.1 parsing
Cipher suites:
    TLS_RSA_WITH_RC4_128_MD5
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA

We're not looking for official legal advice, just some pointers to current online resources of how to go about registering our product in the US.  I've seen posts that for SSL implementations you "just need to send a letter to the government", but haven't come across an official government checklist and address.  We may be able to weaken the code down using the export ciphers, but I doubt end users will be interested in that level of encryption.  Plus, if we do have to limit key lengths, it seems a bit arbitrary with open source code, since users can simply change a few lines of code and have full strength crypto.  Are there any special provisions for source release (short of getting a tattoo, singing an mp3 or sending a model rocket over to Mexico - kidding, kidding)?

We'd appreciate feedback or pointers to documentation on the steps required for government registration and an approximate timeframe for the process.  On a different, but similar legal note, what current patent/trademark issues have people run across with the algorithms mentioned above?  RSA patents expired a few years ago and our ARC4 implementation is not trademarked as far as I understand (although most books on the subject seem a bit squirrelly).  Open source crypto libraries include implementations of these and other disputed algorithms including DSS and ECC, so I'm wondering how they handled the situation.

Thanks,

J Harper
PeerSec Networks
http://www.peersec.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list