[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: liability for selling bad crypto?

To: "Perry E. Metzger" <perry@piermont.com>, ipsec@tis.com
Subject: Re: liability for selling bad crypto?
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Date: Wed, 13 May 1998 08:08:06 -0400
In-Reply-To: <199805130427.AAA00886@jekyll.piermont.com>
Sender: owner-ipsec@ex.tis.com

At 12:27 AM 5/13/98 -0400, Perry E. Metzger wrote:

Perry, a product could easily bury 40bit DES configure option for domestic
use.  Most companies, today, can get export license for decent crypto
without key recovery for their overseas operations (unless it is located in
France, then it is an IMPORT restriction).  So the issue is those poor
non-US companies that insist on using US products and cross-boarder
connections with US products (instead of mix operating environment).

So what you detail here is important for those of us fighting the crypto
battle in DC, but can be avoided with due dilligence in product development.

>By the way, the "cryptography" mailing list has been having an
>interesting discussion of whether companies are liable for selling bad 
>crypto products or for relying upon them if they know that they are
>bad. I'm forwarding one of the recent messages on the topic. The
>entire discussion has been interesting thus far, although only some of 
>the participants have been lawyers.
>

Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com

References:

liability for selling bad crypto?

From: "Perry E. Metzger" <perry@piermont.com>

Prev by Date: Re: 40bit DES?
Next by Date: Re: Latest AH/ESP/Arch drafts and changes
Prev by thread: Re: liability for selling bad crypto?
Next by thread: I-D ACTION:draft-ietf-ipsec-esp-v2-05.txt
Index(es):
- Main
- Thread