Questions regarding export restrictions in Europe
Hello I have tried to contact the local folks here but due to summer vacation and general ignorance I haven't been able to get a 100% straight answer from the various government departments in Denmark. I was wondering if its illegal for me to offer export restricted software for download on my website. The software in questions, is created and distributed inside USA, its illegal to export it out of USA. Now, since this already happened, is it illegal for me to continue offering downloads from my server located in Denmark? Thanks for your time. -- Morten
Re: Clear Session ID in SSLV3
"Marcus J. Ranum" wrote: Does anyone have a pointer to why the session ID in SSLV3 is in the clear, rather than encrypted? I'm sure there's a good reason for it (audit? logging? other...?) but I'm trying to pin down exactly why it was done that way. Can anyone point me in the right direction? Because it is sent in the first message from the client to the server. It is intended to short circuit the SSL protocol handshake and reduce the number of messages exchanged. Since the client and server don't have a known shared secret yet, we cannot encrypt the session-id. eric
Re: Clear Session ID in SSLV3
"Marcus J. Ranum" wrote: Does anyone have a pointer to why the session ID in SSLV3 is in the clear, rather than encrypted? I'm sure there's a good reason for it (audit? logging? other...?) but I'm trying to pin down exactly why it was done that way. Can anyone point me in the right direction? Because the session ID is used to restore the shared cryptographic environment, for performance reasons. Hence it has to be in the clear. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi
BBC report alleges UK tapped all communications to Ireland
Not quite cryptography, but it is SIGINT. http://news.bbc.co.uk/hi/english/uk_politics/newsid_395000/395843.stm First paragraphs (From the BBC): Headline: UK 'monitored Irish phone calls' Subhead: The messages were scanned for key words The UK Government tapped all telephone messages between Britain and Ireland during the past 10 years, it has been alleged. Channel 4 News said a tower in Capenhurst, Cheshire, was used to intercept all telephone signals between Ireland and the UK from 1989 to when it closed down earlier this year. The 13-storey windowless tower used electronic equipment to collect and store all faxes, e-mails, telexes and data communications, the programme said. Their contents were then allegedly scanned for key words and subjects of interests. [...]
Commonwealth of Massachusetts will support uniform digitalsignataure law
Gotta watch that reply-to-all "feature" of listserv, Dan. It'll getcha. :-). Cheers, RAH --- begin forwarded text Date: Fri, 16 Jul 1999 09:57:29 -0400 Reply-To: [EMAIL PROTECTED] Sender: Digital Signature discussion [EMAIL PROTECTED] From: Daniel Greenwood [EMAIL PROTECTED] Subject: Follow up Comments: To: Digital Signature discussion [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hello everyone, I just accidentally sent e-mail (spam) to the whole list that was intended only for Ben (hit the "reply" button and let it fly too quickly). In any case, general participants on this list might find parts of my prior e-mail interesting, and some of the points deserve a bit deeper discussion. Later today or early next week, Massachusetts will be publishing an official statement on federal legislation, but here are some previews One: Massachusetts has agreed (via testimony before the House and Senate) to the principles that Ben has stated in his last e-mail. (see http://www.civics.com/content/99-legis.htm for the testimony of Ray Campbell and myself). That is, we are on record supporting the UETA (general lifting of real and/or perceived legal barriers to use of electronic records, e-signatures and e-contracts) and for some limited federal preemption in the interim which disappears when a state enacts UETA or other conforming law. Two: The marked up version of S. 761 and the filed version of H.R. 1714 raise some legal issues that need to be dealt with. In particular, with 761 as marked up, the the general provisions dealing with writing and signing requirements are over-broad in scope and require either exceptions or the scope of the bill should be constricted back to the original version of 761 (dealing only with e-contracts and party autonomy to use any technology or business model for electronic transactional methods). Some of our concerns mirror those stated by NCCUSL, N.J. and others on and off this list (negotiable instruments - UCC Article 3, possibly commercial real estate conveyance, certain consumer protection laws, etc.). At this point in time, it appears that people interested in this legislation in D.C. prefer not to draw a long list of exceptions and would rather constrict the scope. (This could be achieved by deleting the newly added Sections 6(a)(1),(3) and (4) and also perhaps the attribution rules). Three: Industry supporters of 761 have also voiced a desire to see certain changes in 761 and there appears to be a window within which to operate before the bill is voted out of the Senate. However, even if 761 is voted out of the Senate as it stands out of mark up, provided certain exceptions to scope were included before Congress enacted the legislation (after conference committees, possible floor amendments etc.) then Massachusetts is on record as supporting this legislation. Four: Before hitting the "send" button on an e-mail client - ALWAYS check to see whether the "reply" function addressed the message to your intended recipient or to a huge list of luminaries. Thanks, Dan --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Clear Session ID in SSLV3
"Marcus J. Ranum" wrote: Does anyone have a pointer to why the session ID in SSLV3 is in the clear, rather than encrypted? I'm sure there's a good reason for it (audit? logging? other...?) but I'm trying to pin down exactly why it was done that way. Can anyone point me in the right direction? If it was encrypted, you couldn't use it to identify a session when resuming. Since that was the only reason for having a session ID in the first place, it wouldn't make any sense to encrypt it. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | [EMAIL PROTECTED] transcending structure. -- The Tao of Programming |
Re: Relative use of SSLV3 versus SSLV2
"Marcus J. Ranum" wrote: Does anyone out there have any statistics about usage of SSLV3 versus SSLV2? I'm trying to get a feeling for how much product support there needs to be for V2 -- is there even a significant user base for it anymore? Does anyone keep any measures of version usage?? Unfortunately, use of SSL2 is still significant. Anyone using a Netscape Commerce Server 1.0 still only has SSL2. This includes a number of major ecommerce sites. I believe that the latest CommerceXpert server from Netscape/AOL includes SSL3. Anyone using a new version of Apache/SSL or Netscape Enterprise Server has SSL3. When I was at Netscape, we asked Forrester if they had any numbers on this stuff, and they told us that they weren't tracking it at that time. You might want to check with them again to see if they've started doing it. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | [EMAIL PROTECTED] transcending structure. -- The Tao of Programming |
