[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Yes, you can export SHA and MD5



 
>You should see your favorite 
>high-priced export control lawyer for an  
>official legal opinion. 
 
No, just call the NSA ... lawyers opinions don't count. 
 
All cryptography is export controlled (from the US).  Cryptographic 
functionality used in a product that provides only integrity and 
authentication services is usually "easy" to export. 
 
 
Paul 
 
-------------------------------------------------------------- 
Paul Lambert                     Director of Security Products 
Oracle Corporation                       Phone: (415) 506-0370 
500 Oracle Parkway, Box 659410             Fax: (415) 413-2963 
Redwood Shores, CA  94065               palamber@us.oracle.com 
-------------------------------------------------------------- 
  


-- BEGIN included message


   Date: 17 May 96 15:19:05 -0700
   From: "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>

   SHA and MD5 are both export controled, both are "easy" to export.  Export  
   should not be a consideration in the comparison of SHA to MD5.  

Well, to be precise, the NSA has made the claim that SHA and MD5 are
export controlled, and the NIST's FIPS documenting SHA claims that SHA
is export controlled.  

There seems to be at least some controversy as to what their statutory
and regulatory authorities they are using to make either a statement, at
least where SHA and MD5 is being used in a system which does not use any
encryption methods or which attempts to engage in data hiding.

As far as I know, no one on the IPSEC list is a lawyer, and is actively
giving legal advise (myself included).  You should see your favorite
high-priced export control lawyer for an official legal opinion.

My own personal belief is that any algorithm suite which is using as a
weak an encryption as single DES might as well use HMAC-MD5.  If we were
going to use triple-DES for encryption it would perhaps make sense to
use HMAC-SHA, or some such.

						- Ted

-- END included message