«

Robin Becker wrote:

>> Presumably he is talking about crypo-export rules. In the past strong
>> cryptography has been treated as munitions, and as such exporting it
>> (especially from the USA) could have got you into very serious
>> trouble.
>
So Python is an American Language and must obey American Law. Luckily I
seem to have escaped that fate.
--
Robin Becker

Robin Becker <> writes:
> > Presumably he is talking about crypo-export rules. In the past strong
> > cryptography has been treated as munitions, and as such exporting it
> > (especially from the USA) could have got you into very serious
> > trouble.
>
> well since rotor is a german (1930's) invention it is a bit late for
> Amricans (Hollywood notwithstanding) to be worried about its export

1. I think the concern was not about exporting from the US, but rather
importing into some countries that restrict the use of crypto. But
the cat is out of the bag on that one too. Just about every web
browser includes an SSL stack and those browsers are in use
everywhere.

2. It's irrelevant for the purpose of export rules how old an
invention is or where it was invented. I don't know where machine
guns were invented, but they're at least 100 years old and you can't
export those without a license either. My gripe with the crypto rules
are not about the age or nationality of crypto rotor machines (rotor
is not a clone of the Enigma by the way; it just operates on related
principles) but rather on the control of information in general.
Exporting a machine gun is much different from publishing a
description of one. Software is just a precise type of description.

On 19 Jan 2005 17:09:19 -0800, Paul Rubin <http://> wrote:

>Robin Becker <> writes:
>> > Presumably he is talking about crypo-export rules. In the past strong
>> > cryptography has been treated as munitions, and as such exporting it
>> > (especially from the USA) could have got you into very serious
>> > trouble.
>>
>> well since rotor is a german (1930's) invention it is a bit late for
>> Amricans (Hollywood notwithstanding) to be worried about its export
>
>1. I think the concern was not about exporting from the US, but rather
>importing into some countries that restrict the use of crypto. But
>the cat is out of the bag on that one too. Just about every web
>browser includes an SSL stack and those browsers are in use
>everywhere.
Isn't the SSL dependent on OS or at least shared lib support?
Wasn't there a default 40-bit version that was ok (weak), but you had
to declare yourself US resident to download 128-bit support?
I dimly recall encountering this sort of thing installing Netscape
a long time ago, I think. Is 128 just standard now? And now that 128
is wobbly(?), will the same thing be replayed with the ante upped?

>
>2. It's irrelevant for the purpose of export rules how old an
>invention is or where it was invented. I don't know where machine
>guns were invented, but they're at least 100 years old and you can't
>export those without a license either. My gripe with the crypto rules
>are not about the age or nationality of crypto rotor machines (rotor
>is not a clone of the Enigma by the way; it just operates on related
>principles) but rather on the control of information in general.
I can easily conceive of information that I'd rather not see publicized
without severe access controls. But in general I do believe in open sharing
of free information as the most productive for everyone.

>Exporting a machine gun is much different from publishing a
>description of one. Software is just a precise type of description.
Yeah, but ...

Regards,
Bengt Richter

(Bengt Richter) writes:
> Isn't the SSL dependent on OS or at least shared lib support?

Firefox has its own implementation. IE uses wininet which is built
Windows. I'm not aware of any no-crypto version of Windows but even
if there is one, the US version is running, like, everywhere.

> Wasn't there a default 40-bit version that was ok (weak), but you had
> to declare yourself US resident to download 128-bit support?

That was years ago. The regulations changed since then, so they all
have 128 bits now.

> I dimly recall encountering this sort of thing installing Netscape
> a long time ago, I think. Is 128 just standard now? And now that 128
> is wobbly(?), will the same thing be replayed with the ante upped?

128 isn't wobbly. It will be a long time before any machine can do
2**128 operations to break a message.

Paul Rubin schrieb:
>>Wasn't there a default 40-bit version that was ok (weak), but you had
>>to declare yourself US resident to download 128-bit support?
>
>
> That was years ago. The regulations changed since then, so they all
> have 128 bits now.

Perhaps the NSA has found a way to handle 128bit in the meantime.
But this is unlikely because there is no export regulation to ban
512bit as far as I know

--
-------------------------------------------------------------------
Peter Maas, M+R Infosysteme, D-52070 Aachen, Tel +49-241-93878-0
E-mail 'cGV0ZXIubWFhc0BtcGx1c3IuZGU=\n'.decode('base64')
-------------------------------------------------------------------

Peter Maas wrote:
> Paul Rubin schrieb:
>
>>> Wasn't there a default 40-bit version that was ok (weak), but you had
>>> to declare yourself US resident to download 128-bit support?
>>
>>
>>
>> That was years ago. The regulations changed since then, so they all
>> have 128 bits now.
>
>
> Perhaps the NSA has found a way to handle 128bit in the meantime.
> But this is unlikely because there is no export regulation to ban
> 512bit as far as I know
>

Apparently factorization based crypto is on the way out anyhow (as an
article in Scientific American is reported to claim).

http://www.sciam.com/article.cfm?cha...7F0000&ref=rdf

-can't wait to get my quantum computer-ly yrs-
Robin Becker

Robin Becker <> writes:
> Apparently factorization based crypto is on the way out anyhow (as an
> article in Scientific American is reported to claim).

I haven't seen that SA article but I saw the Slashdot blurb. They
have confused "quantum cryptography" with quantum computation, when
they are entirely different things. Quantum cryptography (basically
communicating a message over an optical fiber in such a way that any
attempt to eavesdrop is supposed destroy the readability of the
message) has been done over quite long distances, 10's of km or even
more. Quantum computation is mostly a theoretical speculation. The
largest quantum computer ever built held seven bits, and factored the
number 15 into its factors 3 and 5. Building larger ones seems to
have complexity exponential in the number of bits, which is not too
much better than using an exponential-time algorithm on a conventional
computer. It's not even known in theory whether quantum computing is
possible on a significant scale. There are just some theorems about
what properties such a computer would have, if it can exist. One of
them, however, is being able to factor in P-time, and that caused
lots of excitement.

Paul Rubin wrote:
> Some countries have laws about cryptography software (against some
> combination of export, import, or use). The Python maintainers didn't
> want to deal with imagined legal hassles that might develop from
> including good crypto functions in the distribution. Then it became
> obvious that the same imagined hassles could also befall the rotor
> module, so that was removed.

Do you know this for a fact? The PSF does comply with the U.S. American
export procedures for crypto code, and reports the crypto code in
Python appropriately to BXA.

Regards,
Martin

"Martin v. Löwis" <> writes:
> > Some countries have laws about cryptography software (against some
> > combination of export, import, or use). The Python maintainers didn't
> > want to deal with imagined legal hassles that might develop from
> > including good crypto functions in the distribution. Then it became
> > obvious that the same imagined hassles could also befall the rotor
> > module, so that was removed.
>
> Do you know this for a fact?

I'm going by newsgroup messages from around the time that I was
proposing to put together a standard block cipher module for Python.

> The PSF does comply with the U.S. American export procedures for
> crypto code, and reports the crypto code in Python appropriately to BXA.

Since rotor was removed, there is no crypto code in Python that needs
reporting.

ldomain wrote:
>>Do you know this for a fact?
>
>
> I'm going by newsgroup messages from around the time that I was
> proposing to put together a standard block cipher module for Python.

Ah, newsgroup messages. Anybody could respond, whether they have insight
or not.

>>The PSF does comply with the U.S. American export procedures for
>>crypto code, and reports the crypto code in Python appropriately to BXA.
>
>
> Since rotor was removed, there is no crypto code in Python that needs
> reporting.

We have released different versions of Python in the past. For Python
2.2, a report about the rotor module was sent to BXA.

Regards,
Martin