Ran, I just called the NSA on SHA export... both MD5 and SHA are both "export controlled", but they are both "under Department of Commerce jurisdiction". Hash algorithms can be readily exported. SHA and MD5 are treated the same for US export considerations. I'd recommend a change from MD5 to SHA ... Paul -------------------------------------------------------------- Paul Lambert Director of Security Products Oracle Corporation Phone: (415) 506-0370 500 Oracle Parkway, Box 659410 Fax: (415) 413-2963 Redwood Shores, CA 94065 palamber@us.oracle.com --------------------------------------------------------------
-- BEGIN included message
- To: PALAMBER@us.oracle.com
- Subject: Re: moving forward ?
- From: "Ran Atkinson" <rja@cisco.com>
- Date: 17 May 96 09:11:59
Umm. There is one small problem with SHA-1. The FIPS PUB 180-1 (http://129.6.52.11/fips/fip180-1.txt) indicates that SHA-1 is export-controlled under Commerce Department rules. MD5 is believed not to be export controlled. This is an issue in many vendors' minds. As long as we use HMAC, I'm indifferent about MD5 or SHA-1. I'm still not seeing anything resembling consensus on key management. We earlier put SKIP into the RFC publication queue for "Experimental" status (it was delayed by the March issuance of "IAB Official Protocols", which caused a backlog at the RFC Editor). Bill Simpson plans to put out Photuris as Experimental eventually. I'm not sure what the status is with ISAKMP and Oakley. I'll ping the folks back east and check... Ran rja@cisco.com --
-- END included message