Crypto Ruling and Mozilla
Friday May 7th, 1999
With the latest ruling against crypto-export laws, some of you have been wondering how this applies to Mozilla (if at all). Well, we're not sure, but I bet there are a few developers that would be willing to enlighten us on this subject. If any of you know more about how this ruling affects Mozilla, please respond in the talkback to this item...
It really depends on what happens in the appeals process. If the ruling stands with all the courts, all the way up, it looks like the crypto laws will be repealed.
Congress could try to get an injunction while it wrote and voted on a new version of the laws that might pass in the court, but if the Supremes back the current ruling, Congress would be wasting its time.
Basically, Netscape would be able to release all the crypto code for everything. HTTPS code, certificates, and all the rest, so,long as it wasn't licensed would be open on Mozilla. Cryptozilla would be able to fold their efforts into the old source, or more likely use bits of the old code in their work.
Basically, it is about damn time the export restrictions fell. The laws are a joke anyways, especially since PGP was legally exported in book form as source code and then scanned in overseas. After that happened, anyone anywhere could have strong encryption.
#2 Re:Crypto Ruling and Mozilla
Friday May 7th, 1999 12:29 PM
While Netscape would be allowed to release the crypto code, doing so would make it virtually useless.
All that I would think this would have an effect on Mozilla was that there would no longer need to be a 40 bit version for the rest of the world and people would no longer need to register the 128 bit version.
Netscape could also lease the crypto code to other companies, say Neo-planet, if they so chose, whether that company was based in the U.S. or not.
#3 Re:Crypto Ruling and Mozilla
by simeon pimpmaster.
Friday May 7th, 1999 12:54 PM
This post explains why this ruling is not as significant as you may think it is, atleast for mozilla in the short term: <http://www.dejanews.com/>[ST_rn=qs]/getdoc.xp?AN=475219263
While Netscape would be allowed to release the crypto code, doing so would make it virtually useless. -------
What?, it would make it better and able to provide strong crypto out-of-the-box instead of forcing users to DL (illegally? - its in the netherlands) from <http://www.replay.com> or use cryptozilla.
Why would that make it useless?
#5 Re:Crypto Ruling and Mozilla
by SomeSmartAss <email@example.com>
Friday May 7th, 1999 1:02 PM
Now, If Source Code is considered free speech does that mean that you can't lock up the guy who created the Mellisa virus; Since he was just "exercising" his constitutional rights.
#6 Re:Crypto Ruling and Mozilla
by SomeSmartAss <firstname.lastname@example.org>
Friday May 7th, 1999 1:10 PM
Re: Kuvo "release the crypto code, doing so would make it virtually useless."
<http://www.wired.com/wire…/archive/7.04/crypto.html> this is a pretty simple primer on open-key crypto algorithms. The whole point is that, even if you know the technique, and the algoritms, it doesn't help you. You still need to know the private key. Even at 40-bits its pretty near improbable to just happen upon it in a timely manner, for the average use at any rate. (I know that 40-bit encryption has been cracked, but I hardly think that you average joe cyber-theif is going to have 100+ desktops + a few high end servers running 24-7 at his disposal)
#7 Re:Crypto Ruling and Mozilla
Friday May 7th, 1999 1:13 PM
"2. The crypto code in Netscape was licensed from someone else. We'd have to get their permission to publish it, which they won't grant because they'd lose a major source of revenue. They also own the US patent that would cover any Communicator-compatible crypto, so mozilla.org won't legally be able to host a replacement, either."
Quite obviously, this is RSA - and the nice thing about it being RSA is that their patent expires this September, if my memory serves correctly. This point, at least, will be moot very shortly.
Patents expiring has nothing to do with being able to breach a licensing contract.
People outside the U.S. are free to implement crypto code in their own source tree, and distribute it as they wish. I'm surprised no one has done this, other than cryptozilla, which hasn't done anything in over a year. You shouldn't sit around and wait for mozilla.org to change its policy.
"Basically, it is about damn time the export restrictions fell. The laws are a joke anyways, especially since PGP was legally exported in book form as source code and then scanned in overseas. After that happened, anyone anywhere could have strong encryption."
Before that happened, strong crypto was available everywhere already.
"What?, it would make it better and able to provide strong crypto out-of-the-box instead of forcing users to DL (illegally? - its in the netherlands) from ww.replay.com or use cryptozilla."
Using fortify to patch your browser is not illegal. Downloading the 128-bit version form the Netherlands isn't illegal either.
"Even at 40-bits its pretty near improbable to just happen upon it in a timely manner"
Unless you spend a few hundred bucks on the neccessary hardware. 40 bits keeps you kid-sister from eavesdropping. It won't stop anybody else.
#10 Re:Crypto Ruling and Mozilla
by Bradley Robinson <email@example.com>
Friday May 7th, 1999 2:32 PM
If this case makes it all the way to the Supreme Court, and they ruled the crypto laws unconstitutional, the goverment would really have no choice but to attempt to make an amendment to the US constitution. There are currently only 27 amendments to the US constitition. 27 in 200 years doesn't say much for an amendment's chances. But could executables be considered language? Binaries might be considered translated language by the court, and therefore, may be covered by the first amendment. Maybe they can be convinced of this idea?
#11 Re:Crypto Ruling and Mozilla
Friday May 7th, 1999 5:09 PM
dammit, mozilla.org is down. I thought I read there that reasons they didn't release crypto besides the gov't rules. They won't modify the constitution. It'll end at the Supreme Court one way or another, most likely.
Does IE have a higher encrypted version? I certainly haven't seen one. I think that's strange.
#12 Re:Crypto Ruling and Mozilla
Friday May 7th, 1999 6:45 PM
Opera does! Opera currently (3.6) offers 40-, 56-, 128- and 168-bit encryption worldwide - <http://www.opera.no/support/config/security.htm>
#13 Status of RSA patent
by Frank Hecker <firstname.lastname@example.org>
Friday May 7th, 1999 9:41 PM
To clarify the point made by HoserHead above: the RSA patent (on the RSA public key algorithm) expires on September 20, 2000 (_not_ this year); this patent is valid only in the U.S., so it restricts what AOL and mozilla.org can distribute, but does not restrict what developers outside the U.S. can distribute.
#14 Re:Crypto Ruling and Mozilla
Friday May 7th, 1999 11:55 PM
if it doesn't matter who has the sourcecode, why the law?
The law exists to prevent the widespread distribution and use of cryptography. Cryptography is already available everywhere in the world, and the government knows this, so the export restriction is not really to restrict exports. It is simply a way to restrict widespread adoption of common encryption standards because you can't just put crypto code on an ftp site or cvs server and have everyone work on it and use it.
We need to make every packet of internet traffic be strongly encrypted, for _every_ internet user, without any complicated setup procedure. Encrypted communication should be taken for granted, even by non-technical users. If the people take private communication for granted, it will be as hard to ban it as it would be to ban television sets, for example.
I forgot to mention that there really is no actual law against export of encryption technologies. The restriction is merely the current way certain government officials _interpret_ a law on munitions export.
I believe president Clinton has declared a state of national emergency _twice_, simply to give himself the power to renew this "law" without having to bother to go through the normal constitutional process of having a separate branch of government pass laws.
Now why didn't I hear "President declares state of national emergency" on the evening news?
It's more than just the fact that knowing the algorithm doesn't help in trying to crack it. It's a basic tenet of cryptography that you should assume the attackers know the method you chose. That's why the secrecy is really all in the key, if you relied on the secrecy of the algorithm then it wouldn't matter what your key was. In general it's been shown that trying to keep a method secret is a poor way to get security. Public methods and public source code mean less chance of flaws and backdoors in the implementation. Or doesn't anyone remember the embarrassment that happened to Netscape over its encryption code, and how it repented and promised to let others audit that code in the future?
"The restriction is merely the current way certain government officials _interpret_ a law on munitions export."
I thought it was as simple as the fact that the US government classes encryption as munitions. Then all they have to do to change it is cease classing it as such, as they could to, say, bazookas :)
#19 Re:Crypto Ruling and Mozilla
by Bradley Robinson <email@example.com>
Saturday May 8th, 1999 5:25 PM
If enough of the US Congress and the states want to ban the export of strong encryption, then it's not impossible for them to make an amendment that does just that. The 16th amendment to the US Constitution, the "Income Tax Amendment" was in response to a Supreme Court ruling that it was unconstitutional. If they pass an amendment that said something like
----------------------------------- Encryption code in either 'source' or 'binary' form is hereby not covered under the 1st amendment of the Constitution and is hereby defined as a military weapon.....
(The rest would set punishment and would give the Congress the ability to enforce the amendment with proper legislation) ----------------------------------
it would give them the ability to control encrytion code originating within the US the same way they can control a cruise missile or any other type of "military weapon". Let's just find out what the Supreme Court has to say. BTW, how much of Congress do the Democrats control? Remember, they don't represent their state, they represent their party :-(
#20 Time to throw crypto code all over the place!
by grappler <firstname.lastname@example.org>
Monday May 10th, 1999 11:31 AM
This ruling might still be overturned, so the thing to do now is get crypto modules into the open, in many places (especially other countries). This should be done all over the place, in fact, so the the idea of banning it again will seem all the more absurd. Commoditize crypto! Hurry!
If it's an open source project why can't they just found it in a country that allows encryption and screw the entire question? Should just be a project that does nothing but crypto code and related stuff so that any other program can use it just by adding the modules. I doubt it is illegal to put a link inside Netscape that automatically downloads the newest encryption modules from whatever country once a month. Then everyone has the same encryption, we have no stupid forms to fill out, and it's all nice and tidy. Only down side is Americans couldn't write any of the code for the project unless someone there is willing to scan in printed copies. Not exactly a big deal. Just sort of slow.