[cryptography] Interesting Webcrypto question

Adam Back adam at cypherspace.org
Sun Mar 3 18:43:19 EST 2013

The realism of export restricting open source software is utterly ludicrous. 
Any self-declaration click-through someone might implement can be clicked
through by anyone, from anywhere, and I presume someone from an embargoed
country is more worried about their own countries laws than US laws, to the
extent that it is apparently illegal in the US to ignore site policies
(which itself is stupid, as the Swartz case demonstrates).

In fact anyway most countries that are likely to be on an embargo list,
probably are so repressive they dont allow encryption for their subjects
anyway.  If the government of the embargoed country wants a piece of
software you can be damn sure a click through isnt going to stop them.  Also
the exemptions and conflicts are getting confusing - in some cases the USG
has actually funded encryption softare for VPN tunneling targetted at the
regimes of a very likely overlapping set of countries that it is embargoing. 
I guess we want their citizens to have encryption to tunnel out, but not
their government nor arms-manufacturers.

Governments and most corporations cant seem to keep the Chinese from bulk
downloading all their firewalled restricted secrets or "IP" never mind stuff
that is available for open download by design!

I guess they never heard of VPNs and proxies.  If everyone and his dog can
stream movies from any country-IP restricted service, I dare say they can
download any bits they care to with zip effort.

You know I did hear it is also the law that hackney carriages (aka taxi
cabs) in london must carry a fresh bale of straw, makes about as much sense
as open source and jscript crypto export restrictions in an internet world.

It does make a lot of sense not to sell embargoed countries physical
weaponry.  (I guess unless the West has just flip-flopped sides on the
embargoed country and the newly installed dictator is now "our" dictator,
then the mil-industry complex will be glad to have a clearance sale of
previous previous gen old-stock mil-hardware.)

Well anyway you can see the logic of not offering assistance of any form,
paid or free, to these embargoed orgs and countries, but the futility of
trying to censor information is just dumb.  Maybe it would be more
productive in the current USG "info-war" mentality to block and disconnect
embargoed orgs and countries government sites from the internet in general. 
(But not their citizens who presumably we encourage to read international
news etc).  But that obviously is also at best going to be a minor irritant
to them - they can just install consumer labeled IPs and tunnels.


On Mon, Mar 04, 2013 at 11:21:04AM +1300, Peter Gutmann wrote:
>Arshad Noor <arshad.noor at strongauth.com> writes:
>>Open-source crypto that is downloadable from public-sites has a special
>>designation in the EAR; you only need to notify the BIS and provide the
>>download URL.
>Controls for export to the T<whatever-it-is-this-week> countries override the
>5D002 exception.  In other words there's an exception to the exception (or in
>computer security terms the deny MAC overrides the allow MAC).  This is why I
>specifically mentioned countries like North Korea and Iran.
>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list