[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Yes, you can export SHA and MD5

To: tytso@mit.edu
Subject: Re: Yes, you can export SHA and MD5
From: "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>
Date: 20 May 96 19:58:15 -0700
Cc: ipsec@TIS.COM
Sender: ipsec-approval@neptune.tis.com

 
>I thought everyone was at least *pretending* 
>that the NSA was staying within the scope of their charter. 
 
But they are ... they are not exerting any "statutory or regulatory 
authority" ... they review the technical capabilities of a product. 
 
I do not agree with the policies and find that the process hurts my business, 
but the NSA is following a fairly clear set of guidelines. 
 
>Different rulings for different companies that  
>are not following any pattern that security savy 
>lawyers can use to guide companies along. 
 
I have not seen that much variation ... perhaps a gradual loosening, but no 
wild variations.  The variations most likely come from the range in ablility 
of vendors to document the products that they build. 
 
 
Paul 
 
 
 
-------------------------------------------------------------- 
Paul Lambert                     Director of Security Products 
Oracle Corporation                       Phone: (415) 506-0370 
500 Oracle Parkway, Box 659410             Fax: (415) 413-2963 
Redwood Shores, CA  94065               palamber@us.oracle.com 
--------------------------------------------------------------

-- BEGIN included message

To: Robert,Moskowitz,rgm3@chrysler.com
Subject: Re: Yes, you can export SHA and MD5
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: 20 May 96 15:59:41
Cc: LAMBER@us.oracle.com

   Date: Mon, 20 May 1996 15:25:57 -0400
   From: Robert Moskowitz <rgm3@chrysler.com>

(Note: ipsec has been removed from the cc list.)

   At 01:40 PM 5/20/96 -0400, Theodore Y. Ts'o wrote:
   >   From: "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>
   >
   >   No, just call the NSA ... lawyers opinions don't count. 
   >
   >I can't tell from your e-mail message whether you're joking or not.... !

   Unfortunately he is not.  I have had to be in some policy meetings in DC on
   ITAR stuff, and this is the theme I have heard.  Different rulings for
   different companies that are not following any pattern that security savy
   lawyers can use to guide companies along.

I didn't think the NSA as an agency had the statutory or regulatory
authority to make decisions regarding export control.  It's one thing if
the State Department and the Commerce Department were under the thrall
of the NSA and always blindly followed the NSA's lead --- but that's
still a far cry from saying that companies should call the NSA because
its the agency running the whole show.  (This was why I wasn't sure
whether Paul was joking!)  I thought everyone was at least *pretending*
that the NSA was staying within the scope of their charter.  :-)

   This alone is reason enough to scrap the whole system.

What you've described is called "secret law" (if you can prove it) and
last I checked, it wasn't legal within the United States....

						- Ted

-- END included message

Prev by Date: No Subject
Next by Date: Re: Yes, you can export SHA and MD5
Prev by thread: Re: Yes, you can export SHA and MD5
Next by thread: Re: Yes, you can export SHA and MD5
Index(es):
- Main
- Thread