>I thought everyone was at least *pretending* >that the NSA was staying within the scope of their charter. But they are ... they are not exerting any "statutory or regulatory authority" ... they review the technical capabilities of a product. I do not agree with the policies and find that the process hurts my business, but the NSA is following a fairly clear set of guidelines. >Different rulings for different companies that >are not following any pattern that security savy >lawyers can use to guide companies along. I have not seen that much variation ... perhaps a gradual loosening, but no wild variations. The variations most likely come from the range in ablility of vendors to document the products that they build. Paul -------------------------------------------------------------- Paul Lambert Director of Security Products Oracle Corporation Phone: (415) 506-0370 500 Oracle Parkway, Box 659410 Fax: (415) 413-2963 Redwood Shores, CA 94065 palamber@us.oracle.com --------------------------------------------------------------
-- BEGIN included message
- To: Robert,Moskowitz,rgm3@chrysler.com
- Subject: Re: Yes, you can export SHA and MD5
- From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
- Date: 20 May 96 15:59:41
- Cc: LAMBER@us.oracle.com
Date: Mon, 20 May 1996 15:25:57 -0400 From: Robert Moskowitz <rgm3@chrysler.com> (Note: ipsec has been removed from the cc list.) At 01:40 PM 5/20/96 -0400, Theodore Y. Ts'o wrote: > From: "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com> > > No, just call the NSA ... lawyers opinions don't count. > >I can't tell from your e-mail message whether you're joking or not.... ! Unfortunately he is not. I have had to be in some policy meetings in DC on ITAR stuff, and this is the theme I have heard. Different rulings for different companies that are not following any pattern that security savy lawyers can use to guide companies along. I didn't think the NSA as an agency had the statutory or regulatory authority to make decisions regarding export control. It's one thing if the State Department and the Commerce Department were under the thrall of the NSA and always blindly followed the NSA's lead --- but that's still a far cry from saying that companies should call the NSA because its the agency running the whole show. (This was why I wasn't sure whether Paul was joking!) I thought everyone was at least *pretending* that the NSA was staying within the scope of their charter. :-) This alone is reason enough to scrap the whole system. What you've described is called "secret law" (if you can prove it) and last I checked, it wasn't legal within the United States.... - Ted
-- END included message