[geekcrypt] Introducing Peter Trei
- From: Peter Trei <petertrei@xxxxxxxxx>
- To: geekcrypt@xxxxxxxxxxxxx
- Date: Thu, 5 Jun 2014 20:41:58 -0400
I've just joined the list.
I hope to contribute as a developer and architect; I spent 10 years
developing cryptographic products at RSA Security, among other things.
I'm also responsible for the Symmetric Key Challenges RSA posted from 1996
on, which contributed to the relaxation of export regulations around 2000.
Back then, ITAR placed draconian regulations on export of binaries, code,
and even knowledge; and 'export' could be something as simple as a chat
over beer. Things are much better now.
I'm very happy with the open and transparent principles at ciphershed.org.
In this kind of project, accountability creates confidence. But it also
creates responsibility.
...which leads me to my first question...
Have we cleared what want to do with a lawyer knowledgeable in the field?
There are three main concerns I have, and one minor one. They may be
nothing, but...
I AM NOT A LAWYER
1. Licensing. According to Wikipedia, a company called SecurStar claims IP
in at least some of the early source code. Has this been investigated?
2. Export regulations. US EAR regulations require entities exporting
cryptography - even free public domain source code - to register with BXA
and report exports. This may require setting up a foundation or something,
to create a legal nexus.
See
http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
Selling compiled crypto SW for money adds in a lot more regulations, btw.
The Truecrypt.ch folk should think about that.
Things used be a great deal stricter (this project would have been flat out
illegal prior to 2000), but I find still myself concerned (hopefully
without cause) at the notion of an international team of both US and non-US
citizens and residents collaborating in this manner on a crypto package.
There may be *nothing* wrong, so long as, (for example) we don't have a
member in China or Russia. But I'd sleep easier knowing we checked whether
(for example) every git commit needed a notification to BXA (they could be
automated, btw).
I strongly suggest that someone on this project contact a team with similar
concerns - for example, OpenSSL or OpenSSH, so we can leverage their
experience, or we should talk to the EFF. I don't have strong personal
contacts in those organizations, but perhaps someone else here does.
A non-anonymous international team developing strong cryptographic products
for general use needs to tread carefully, in today's climate.
3. Do we need to post a Warrant Canary? Do we need one for each team
member? Should we add them to emails? Example at
http://www.rsync.net/resources/notices/canary.txt
4. I *hate* the name FalseCrypt; and GeekCrypt isn't much better. How about
WorldCrypt?
Can we settle this, so we can get back to coding?
Peter Trei
Other related posts:
