"Frank Hecker" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Jonathan Wilson wrote: > > > I know about the crypto FAQ & have read it. > > My question is this: > > Given that, in light of the recent attacks, the US government is likely > > to take the knee-jerk reaction and restrict crypto in some way, how will > > the mozilla project handle this? > > > My apologies for the delay in responding; what follows are my personal > opinions: > > IMO it's premature to speculate in the absence of any announced changes > to the existing US encryption export regulations. Such changes might > range from the relatively minimal (e.g., requiring domain name checking > on open source crypto downloads from US-based servers) to the draconian > (e.g., outlawing the use or export of crypto software without mandated > "back doors"), and given that it's impossible to formulate a simple > answer to a question like "how will the Mozilla project handle this?". > > There are only two things I can be pretty sure of: > > First, whatever the changes (if any) turn out to be, US-based > organizations involved with Mozilla will comply with whatever the new > laws and regulations turn out to be, even if in practice that means > getting out of the business of developing and distributing open source > crypto software. Individual crypto developers are of course free to > quietly ignore more restrictive laws and regulations, or even to engage > in highly visible civil disobedience; however US-based corporations > involved in crypto development can't afford to do this, given the legal > risk they'd bring upon themselves. (In this connection, note that most > mozilla.org staff are US-based employees of US-based corporations, and > the key Mozilla servers are US-based. So "mozilla.org" in that sense is > going to be constrained by US laws and regulations.) > > Second, the current Mozilla crypto source code is already available on > non-US download sites, and neither the US government nor anyone else has > the legal power or technical capability to get it back. (I'm not a CVS > expert, so I can't comment on the technical difficulty of setting up a > full writable copy of the current Mozilla CVS repository, or at least > the crypto part of it.)
The government could just require that CAs give them a copy of all public keys. It strikes me that that would be far easier to enforce, legally and technically, than mandating specific crippled forms of crypto.
