Path: utzoo!attcan!uunet!lll-winken!ames!pasteur!ucbvax!decwrl!decvax!crltrx!treese
From: treese@crltrx.crl.dec.com (Win Treese)
Newsgroups: comp.windows.x
Subject: Re: X11R3 security hole needs attention
Message-ID: <112@crltrx.crl.dec.com>
Date: 24 Mar 89 08:51:10 GMT
References: <8903211848.AA07020@dawn.steinmetz.Ge.Com>
Reply-To: treese@.crl.dec.com (Win Treese)
Organization: DEC Cambridge Research Lab
Lines: 31

In article <8903211848.AA07020@dawn.steinmetz.Ge.Com> stpeters@dawn.UUCP writes:
>>> (And then, there's this problem with distributing
>>> cryptographic stuff outside the US ...)
>
>>Not really.  The "problem" is that the folks in the Reagan-now-Bush
>>administration ... foolishly think that
>>the U.S. Government can stop the spread of cryptographic technology
>
>Reagan didn't invent this problem.  There were other fools aplenty
>before him.  Also, don't think the only technology impacted is
>cryptography.

Well, the situation turns out to be rather more complicated than it
should be.  The algorithm specification for the Data Encryption Standard
(DES) was published some years ago by the NBS (now NIST).  Anyone can
get a copy and implement the software -- takes a few hours for a working,
though slow, implementation.

The resulting software is not exportable.

In fact, several DES packages have been implemented outside the US, including
one from Finland that was recently announced on USENET.  But that isn't
sufficient, since even that can't be exported from the US to another country.
(In other words, if someone in Europe gives me a DES library, I can't give
it back.)

There are many lawyers who get paid to argue about this.  And Bob's original
statement is still true.

Win Treese						Cambridge Research Lab
treese@crl.dec.com					Digital Equipment Corp.