[Cryptography] Wind River Security Features and Cryptography Libraries

Jon Callas jon at callas.org
Fri Nov 7 16:11:09 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I've been involved in producing and exporting crypto for close to twenty years. I've been involved in doing whatever is needed, from filling out paperwork to printing source code on paper.

Since 1997, there's been a steady liberalization of export control in the US. One might argue that it's not monotonically decreasing, but it's decreasing continually. Right now, it's easier to get an export license than it is to do your taxes. Similarly to doing one's taxes, you can do it yourself, but if it's at all complex there are pros who can do it for reasonable prices.

Collin Anderson's note was right on, and I almost feel sheepish for adding to it.

In many cases, there are outright exemptions for export control. There's an exemption for "mass market" crypto. There's an exemption for open source source code releases. I apologize for forgetting who said this on what list, but in this discussion, someone said that this was a reason for an anonymous source code release, and ironically a source code release is on the exemption list, so you don't need it to be anonymous if you're releasing source!

This means that in many cases, there's a "why bother" aura around export licenses. Let's say you do Javascript crypto (I pick this because the code is implicitly source) that you put on a public web site (which makes it mass market). You have two exemptions here. It can be argued that it only annoys everyone to bother with the paperwork. One can even argue that it would be a *good* thing for everyone who uses SSL on their web site to apply for export licenses because that chaffs the BIS. One can argue that BIS is chaffing themselves.

So that leads us to what we've all been saying -- we have no idea what is really going on here. We're all speculating. I think that Goodwin Proctor's speculation:

   This suggests a fundamental change in BIS’s treatment of violations 
   of the encryption regulations.

Is both speculation and something to strongly disagree with. Really? What leads you to this? Given that they're a law firm that does export filings, this speculation is a speculation that drives more business to them. This is like someone bringing up a case of food poisoning in hamburgers and saying this why you should pay me to inspect your kitchen. Consider the source. (And by the way, if someone needs to know a good export lawyer, write me off-list. I am happy to share, but feel it inappropriate to plug anyone here.)

There are other reasonable speculations, as well. Mine is that Wind River has been really sloppy about export control filings on many things, there's a lot of behind-the-scenes drama, and BIS decided to slam them for this because they admitted they're guilty. Effectively, this is the get-Capone-for-taxes story.

The huge irony in crypto today is that the more one is interested in the sort of crypto that is the general milieu of this list, the less one needs to worry about export licenses. Publishing your source gets you an exemption. The export definition of "mass market" means "generally available" not quantities or anything like that. If you have closed-source, secret algorithms, sold only to LEA/Military, you don't get any of the exemptions that we all do. Whatever's going on with Wind River, they are doing something that they admit they needed a license for that they didn't get.

So -- something's going on here and we don't know what it is. But it's almost certainly not what's being speculated about here. Yeah, yeah, if you're doing crypto professionally (by which I mean for pay), get an export license. Really, it's easier than doing your taxes, reasonably inexpensive, and if you ever end up in a different export battle -- for example, you didn't realize that those FPGAs or GPS chips might be considered "dual use" -- you won't get smacked with the crypto stick because they decided you needed to get smacked and that was the closest stick.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: windows-1252

wsBVAwUBVF01b/D9H+HfsTZWAQhPLQgAmU2EeTfhXX9laYM/thryuPsxsfKSxTPf
fJFRFezDBgUkWwLlm6/26FNH7hEpqbP2FJgFsYX1bY/3c/rjMa0kRh4W6vqYXrlw
Ui4ZMeghJsRTjJ2N6wUmzXY5oCK5qoeZBZxp5XNq8rmN2FbN7U1ARfTxi1sD3Cm8
d2Ez5jZh8Q/+wCooEZ8Vc5mxUR5Av8bk58Ft3H4Sa5yYVl7I9d+u+ByGE0Ea3hN4
+WvUXB+Jrz7vtFOOqNCPNbU5BdtYK0VcPFvWKN7qECcsBD0QabfNSwlGn31YV7hQ
5mHYK4yFZ5bKaEkoMf27rlrSygk76mob5qtkjfwvXDyM73sfnHpopQ==
=TcvA
-----END PGP SIGNATURE-----


More information about the cryptography mailing list