Re: Is it legal to serve up HTML pages through SSL to all??
From: Nico Kadel-Garcia (nkadel@bellatlantic.net)Date: 01/28/02
- Next message: phn@icke-reklam.ipsec.nu: "Re: sshd [871] random session key or cracked?"
- Previous message: gaius.petronius: "Re: sshd [871] random session key or cracked?"
- Maybe in reply to: Carlos C. Gonzalez: "Is it legal to serve up HTML pages through SSL to all??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Nico Kadel-Garcia" <nkadel@bellatlantic.net> Date: Mon, 28 Jan 2002 05:52:55 GMT
"Carlos C. Gonzalez" <aperlprogrammer@yahoo.com> wrote in message
news:MPG.16be268cfb4bba76989854@news.edmonton.telusplanet.net...
> those who know me have no need of my name at not-a-real-address@usa.net
> said...
>
> > if you have a question related to ssh please post it.
>
> Sorry if I posted to the wrong newsgroup. In reading up on SSL I came
> upon the statement that this newsgroup was the one to post questions to
> about SSL or SSH. I guess not heh?
I am not a lawyer, but will try to answer your questions.
Your question was slightly related to this newsgroup, do to the use of
OpenSSL libraries for SSH and the simple fact that it is encryption. The
state of US law about the use of encryption is both blatantly
unconstitutional and deliberately so obscure as to be impossible to
precisely determine, thus trying to avoid having to defend it in court.
Basically, as it stands, the Department of Commerce wants everyone who might
export encryption tools to submit it to them and get their blessing. Despite
their public claims, they do in fact tell vendors and authors what not to
export, and they will sit on applications a long time if they don't like
you. And the regulation, as it stands, constitutes a blatant form of "prior
restraint": take a look for those key words with encryption for some
discussion of the problem.
This kind of regulation was already found to be unconstitutional when done
through Customs, and the White House transferred the regulation to Commerce
in order to be able to continue using it to prevent widespread, untappable
encryption which would basically screw both domestic and overseas traffic
monitoring. Whether the government should have and use such powers, given
that they are used without warrant or any notice to the observed and in
clear violation of both domestic and international law, is another matter,
but this is how it currently stands. Their desire to prevent having to spend
large amounts of money and manpower to install and use even
warrant-authorized taps on email, telephone, and other computer
transmissions is understandable. Their method of doing so is stupid and
illegal. There have also been attempts to mandate specific forms of
encryption for which the government would retain a full set of decryption
keys, namely the "Clipper Chip", but it turned out that not only did they
violate at least 3 patents, but they screwed it up so that you could
generate your own keys dynamically and avoid their decryption keys. So they
buried it, and we've never heard from *that* develoment team again....
Now, modest levels of encryption for friendly nations, particularly Canada,
seems in my experience to be basically ignored. There have also been some
recently published policies claiming that "128-bit software is OK to ship to
friendly countries", but when I checked, you still had to get the Department
of Commerce to sign off on it.
But I've never even heard of anyone getting any legal grief for using an SSL
based server for HTML. If you were *selling* servers, I think that would
potentially cause trouble in the US. If you're using a commercial or even
freeware SSL implementation and HTML server software, and not shipping
encryption software yourself, I don't think you'll have a problem.
> Somebody from this group emailed me some reassurance and I think I will
> leave it that.
>
> Thanks again. I honestly didn't mean to post off-topic. I've been on
> newsgroups long enough to know that one should not do that if they want
> to avoid the heat :).
No problem, for me at least. It gave me a chance to explain some of the
current wackiness for SSH users who may not be familiar with the issues.
- Next message: phn@icke-reklam.ipsec.nu: "Re: sshd [871] random session key or cracked?"
- Previous message: gaius.petronius: "Re: sshd [871] random session key or cracked?"
- Maybe in reply to: Carlos C. Gonzalez: "Is it legal to serve up HTML pages through SSL to all??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
