Re: [Caml-list] Cryptokit: cryptographic library for OCaml

Re: [Caml-list] Cryptokit: cryptographic library for OCaml

[Krishnaswami, Neel]

Sven [mailto:luther@dpt-info.u-strasbg.fr] wrote:
> On Fri, Apr 05, 2002 at 04:02:14PM +0200, Xavier Leroy wrote:
> > My amateur, unfocused interest for applications of 
> > cryptography led me to implement the Cryptokit library of 
> > cryptographic primitives for OCaml, providing:
> 
> Mmm, what are the legal restriction related to this ? Is it legal to
> distribute it in france (legislation may have changed since 
> last i checked about such things a few years ago) ? Is it legal to 
> distribute it from an US based server (i think yes, but you would 
> need to declare the software to the NSA or something such).

I don't know about the details of French law, but in the USA 
there is no need for any review of open-source cryptography 
software, whether in source or binary format. 

See: http://www.bxa.doc.gov/Encryption/EncryptionRuleOct2K.html

-- 
Neel Krishnaswami
neelk@cswcasa.com
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Cryptokit: cryptographic library for OCaml

[Sven]

On Fri, Apr 05, 2002 at 10:01:00AM -0500, Krishnaswami, Neel wrote:
> Sven [mailto:luther@dpt-info.u-strasbg.fr] wrote:
> > On Fri, Apr 05, 2002 at 04:02:14PM +0200, Xavier Leroy wrote:
> > > My amateur, unfocused interest for applications of 
> > > cryptography led me to implement the Cryptokit library of 
> > > cryptographic primitives for OCaml, providing:
> > 
> > Mmm, what are the legal restriction related to this ? Is it legal to
> > distribute it in france (legislation may have changed since 
> > last i checked about such things a few years ago) ? Is it legal to 
> > distribute it from an US based server (i think yes, but you would 
> > need to declare the software to the NSA or something such).
> 
> I don't know about the details of French law, but in the USA 
> there is no need for any review of open-source cryptography 
> software, whether in source or binary format. 
> 
> See: http://www.bxa.doc.gov/Encryption/EncryptionRuleOct2K.html

There is no restriction on exportation, but you need to fill a declaration or
something with the NSA (i think) about it.

I followed from far all the discution about it when debian decided to move the
crypto stuff from its non-us servers into the main archive which is us based,
so it would be no problem for me to package it as a debian package. There may
be french issues though, since it is distributed from inria's web site. But
then i think, due to the Bank's pressions on the governement, that most of
those restriction were lifted a year or so ago, not sure though.

Friendly,

Sven Luther
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Cryptokit: cryptographic library for OCaml

[Julian Assange]

> the AES implementation it provides just to generate pseudo-random
> numbers (don't laugh -- the PRNG in the library does exactly this).

It's interesting to think about what this means. If the cipher is
secure, then the entropy generated in the device breaking it is >=
the "entropy" in the PRNG stream. I would argue that provided
seeding is random, the PRNG is an RNG, because there is no simpler
description of the system than the PRNG output itself! Obviously
this isn't true for an infinite stream, so no fixed cipher has
infinite resolution as a PRNG (except for vernam, but that's
cheating). Yet it's possible to imagine a system of ciphers where
the amount of state held by the cipher was tightly coupled to the
amount of state theoretically revealed by the PRNG output, resulting
in infinite work to break infinite PRNG output.

--
 Julian Assange        |If you want to build a ship, don't drum up people
                       |together to collect wood or assign them tasks and
 proff@iq.org          |work, but rather teach them to long for the endless
 proff@gnu.ai.mit.edu  |immensity of the sea. -- Antoine de Saint Exupery
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Cryptokit: cryptographic library for OCaml

[Xavier Leroy]

> Mmm, what are the legal restriction related to this ? Is it legal to
> distribute it in france (legislation may have changed since last i checked
> about such things a few years ago) ? Is it legal to distribute it from an US
> based server (i think yes, but you would need to declare the software to the
> NSA or something such).

I wish I knew for sure :-) I spent significant time reading the French
laws on the DCSSI Web site
(http://www.scssi.gouv.fr/fr/reglementation/index.html).

(FYI, the DCSSI is roughly the French equivalent of the NSA.)

It appears that cryptographic means ("moyens de cryptographie",
whatever that means) are regulated differently depending on whether
they are used for authentication (passwords, signature, data
integrity), confidentiality (encryption), copy protection, in mobile
phones, for bank transactions, in spread-spectrum devices, etc.

>From this list, it appears that only whole software applications or
hardware devices are subject to regulations.  A library like my
Cryptokit doesn't by itself ensure authentication, confidentiality,
etc: this is a property of the application that uses it.  Cryptokit
just transforms streams of bytes in various ways.  Heck, you could use
the AES implementation it provides just to generate pseudo-random
numbers (don't laugh -- the PRNG in the library does exactly this).

So, I think I'm not violating any French regulation by distributing
this library.  Now, if you use it in a program, it is up to you to
make sure you comply with the law.  (E.g. a Caml-powered
spread-spectrum device is a no-no :-)

As for other countries, I haven't the least idea of their regulations.
To get definitive answers to your questions, you'll need to consult a
competent lawyer, not me.

- Xavier Leroy
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Cryptokit: cryptographic library for OCaml

[Sven]

On Fri, Apr 05, 2002 at 04:18:57PM +0200, Remi VANICAT wrote:
> Sven <luther@dpt-info.u-strasbg.fr> writes:
> 
> > Mmm, what are the legal restriction related to this ? Is it legal to
> > distribute it in france (legislation may have changed since last i
> > checked about such things a few years ago) ? Is it legal to
> > distribute it from an US based server (i think yes, but you would
> > need to declare the software to the NSA or something such).
> 
> There have been a discussion about this in the debian.devel mailing
> list and the conclusion is that there isn't to much problem about
> it. But I don't find here the document saying what have to be done.

For debian packaging and US based servers, i have no problem, since all is
already in place in the debian archive to make the us regulators happy (and
flood them with too much information also by the way).

There may be other issues though, especially with regard to the french
legislation (which did change sometime ago, but i don't know to what extent)
and also with some patent issues which are different in the US and in europe.

Friendly,

Sven Luther
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Cryptokit: cryptographic library for OCaml

[Julian Assange]

> Mmm, what are the legal restriction related to this ? Is it legal to
> distribute it in france (legislation may have changed since last i checked
> about such things a few years ago) ? Is it legal to distribute it from an US
> based server (i think yes, but you would need to declare the software to the
> NSA or something such).

The legislation has changes in France, but in anyevent, no-one
cares. There's no political will for prosecutions. The "once over"
by the NSA is not something that department is interested in but
rather a political consession given to get crypto controls in the
US deregulated.

--
 Julian Assange        |If you want to build a ship, don't drum up people
                       |together to collect wood or assign them tasks and
 proff@iq.org          |work, but rather teach them to long for the endless
 proff@gnu.ai.mit.edu  |immensity of the sea. -- Antoine de Saint Exupery
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Cryptokit: cryptographic library for OCaml

[Sven]

On Fri, Apr 05, 2002 at 04:02:14PM +0200, Xavier Leroy wrote:
> My amateur, unfocused interest for applications of cryptography led me
> to implement the Cryptokit library of cryptographic primitives for
> OCaml, providing:
> 
>   - Symmetric-key cryptography: AES, DES, Triple-DES, ARCfour.
>   - Public-key cryptography: RSA.
>   - Hash functions and MACs: SHA-1, MD5, and MACs based on AES and DES.
>   - Random number generation.
>   - Encodings and compression: base 64, hexadecimal, Zlib compression.
> 
> It is available at http://pauillac.inria.fr/~xleroy/software.html
> 
> >From a language standpoint, while the low-level crypto code in this
> library is uninteresting (it's the same snippets of C that you'll find
> everywhere), I'm relatively proud of the Caml high-level interface,
> which makes tasteful use of objects (if I may say so myself).
> 
> Enjoy,
> 
> - Knivre Yrebl

Mmm, what are the legal restriction related to this ? Is it legal to
distribute it in france (legislation may have changed since last i checked
about such things a few years ago) ? Is it legal to distribute it from an US
based server (i think yes, but you would need to declare the software to the
NSA or something such).

Friendly,

Sven Luther
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Re: [Caml-list] Cryptokit: cryptographic library for OCaml

[Remi VANICAT]

Sven <luther@dpt-info.u-strasbg.fr> writes:

> Mmm, what are the legal restriction related to this ? Is it legal to
> distribute it in france (legislation may have changed since last i
> checked about such things a few years ago) ? Is it legal to
> distribute it from an US based server (i think yes, but you would
> need to declare the software to the NSA or something such).

There have been a discussion about this in the debian.devel mailing
list and the conclusion is that there isn't to much problem about
it. But I don't find here the document saying what have to be done.
-- 
Rémi Vanicat
vanicat@labri.u-bordeaux.fr
http://dept-info.labri.u-bordeaux.fr/~vanicat
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

[Caml-list] Cryptokit: cryptographic library for OCaml

[Xavier Leroy]

My amateur, unfocused interest for applications of cryptography led me
to implement the Cryptokit library of cryptographic primitives for
OCaml, providing:

  - Symmetric-key cryptography: AES, DES, Triple-DES, ARCfour.
  - Public-key cryptography: RSA.
  - Hash functions and MACs: SHA-1, MD5, and MACs based on AES and DES.
  - Random number generation.
  - Encodings and compression: base 64, hexadecimal, Zlib compression.

It is available at http://pauillac.inria.fr/~xleroy/software.html

>From a language standpoint, while the low-level crypto code in this
library is uninteresting (it's the same snippets of C that you'll find
everywhere), I'm relatively proud of the Caml high-level interface,
which makes tasteful use of objects (if I may say so myself).

Enjoy,

- Knivre Yrebl
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners