Export-Controlled Network Sites for Cryptographic Software
By Kevin
Fu Jeffrey Schiller, the network manager of MIT and an architect of the kerberos authentication system, presented the MIT cryptographic software distribution methods at a Thursday lunchtime workshop. Ron Lee, an attorney for the National Security Agency, gave facts about the regulations on encryption export.
MIT prefers to distribute cryptographic software via the MIT Web site, not an anonymous FTP server. A web distribution is much more flexible than an anonymous FTP server, said Schiller. He explained that process forking on an FTP server is "evil" and consumes too much memory and resources. If many users are FTPing the software over a somewhat slow 14.4Kb link, too many processes will be forked and the server could become hosed. However, a more efficient distribution program can be created for a Web interface by multiplexing requests.
The MIT PGP and PGPfone distribution site first asks questions regarding citizenship, exportation of PGP and RSAREF, the license agreement, and non-commercial use. If a user's answers do not satisfy some simple criteria, the user is denied access, Schiller said.
The program evaluates the IP address where the request originated. It then uses the IP address to obtain a domain name via a DNS lookup. In instances where the IP address cannot be reverse resolved, the user is denied access and eventually told to contact their ISP for necessary configuration changes.
The domains fall into 3 categories: known U.S./Canadian domains, known foreign domains, and unknown domains. U.S./Canadian domains are allowed access while the foreign domains are automatically denied access. The unknown case results in a "sorry I can't verify you" type of message. The user is asked to provide an e-mail address to receive a half-hour limited one-time password to access the distribution. Both Schiller and Lee admit that this process is not perfect or considered bullet-proof. For example, the MIT setup does allow access from large online services such as America Online or Compuserve, despite the fact that connections may come from overseas.
Download records are kept, but only for auditing and statistics purposes.
In response to a question as to why better methods aren't used Schiller said, "Give me an algorithm and I'll implement it" -- highlighting the fact that there isn't an airtight way to discern foreign requests from domestic requests.
One attendee said that his company lawyers gave him fairly good advice on export control. They said to show that actions were made in good faith to prevent the exportation of cryptographic software and to have an honest claim to not be part of a conspiracy.
Lee said that making regulatory policy for complex technical issues is difficult. Laws must be interpreted. This is common law, not civil law. The government realizes this area needs strong efforts.
Cryptography falls under the jurisdiction of the International Traffic in Arms Regulations (ITAR), handled by the State Department. However it is possible to obtain a Commodity Jurisdiction from the Commerce Department. The government seems to want reasonable assurance that the software is not exported.
Recently a personal use exemption amendment was made to the ITAR. It has come to be known as the "Matt Blaze exemption". A workshop attendee asked if the exemption meant that a U.S. citizen can download PGP from MIT while working in London? This is unclear as regulation does not define who in the client-server relationship is the exporter.
Many specific examples of possible ITAR infringements were brought up by the audience. Sticking a table of full of PGP disks in the transit lounge of JFK International Airport may or may not be a violation, depending on circumstances, said Lee. A second example was of a university where 30 percent of students are foreign, but have access to PGP on the file systems. Is this illegal? What liability is there of the system administrator? These questions were mainly left unanswered. Lee advised seeking counsel for specific instances.
Related Internet Resources:
[ CFP96 Newsletter | CFP96 | CFP | general info ]
Comments and bug reports to Daniel C. Stevenson