On Thu, Jun 5, 2014 at 10:31 PM, Bill Cox <waywardgeek@xxxxxxxxx> wrote: > Hi, Peter, and welcome! > > On Thu, Jun 5, 2014 at 8:41 PM, Peter Trei <petertrei@xxxxxxxxx> wrote: > >> I've just joined the list. >> >> I hope to contribute as a developer and architect; I spent 10 years >> developing cryptographic products at RSA Security, among other things. >> >> I'm also responsible for the Symmetric Key Challenges RSA posted from >> 1996 on, which contributed to the relaxation of export regulations around >> 2000. Back then, ITAR placed draconian regulations on export of binaries, >> code, and even knowledge; and 'export' could be something as simple as a >> chat over beer. Things are much better now. >> > > That's a truly outstanding background! Also, thank you for helping defeat > the Clipper Chip and 32-bit limits on browser keys! The world economy owes > a ton to our ability to make semi-secure online transactions, not to > mention at least some safeguards on privacy. > > I have suggested that PID0 and Frank belong before me on the list of core > devs, and it sounds like you do to. If we get enough world-class > crypto-geeks involved, I will be happy to step down to the level of > non-core contributor. > It's far from clear how much time I can devote to the project, I'd rather be down in the weeds, and take on tasks as needed. I'm very happy with the open and transparent principles at ciphershed.org. >> In this kind of project, accountability creates confidence. But it also >> creates responsibility. >> >> ...which leads me to my first question... >> >> Have we cleared what want to do with a lawyer knowledgeable in the field? >> There are three main concerns I have, and one minor one. They may be >> nothing, but... >> > > Getting lawyers involved is generally a bad idea in my experience. Just > talk to your friends to got separate lawyers for a divorce versus the ones > who just went to mediation. The current silence from truecrypt.ch is > likely due to having talked to lawyers. What truecrypt.ch should > *really* be worried about is their trademark violation. > My hope is that we can get some free help from the legal team at EFF. I'd hate to see any of us wind up in court over an EAR violation. > In any case, there are two ongoing popular forks: RealCrypt and > VeraCrypt. We're just a 3rd fork. No one gets sued in the US for working > on non-profit open source crypto anymore, and it sounds like we have to > thank your for that! > > I AM NOT A LAWYER >> >> 1. Licensing. According to Wikipedia, a company called SecurStar claims >> IP in at least some of the early source code. Has this been investigated? >> > > They never sued before. Why worry now? > > 2. Export regulations. US EAR regulations require entities exporting >> cryptography - even free public domain source code - to register with BXA >> and report exports. This may require setting up a foundation or something, >> to create a legal nexus. > > See >> >> >> http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status >> > > TrueCrypt fork will be imported, rather than exported. If someone in the > US government wants to explain why I am not allowed to contribute to a > Swiss based crypto FOSS project, I'd love to hear it. That sounds like a > freedom worth defending. > I suggest you look at the Bernstein and Junger cases. While they came out favorably for crypto rights, there are still rules in place. I think we can wait for BXA to ask for notification. Given that all our > git commits on github will be public, I'm sure it's simpler for them to > simply notice commits rather than bothering to even talk to us. I haven't > heard a word from them about all my Tinycrypt commits on SourceForge. > That's what I'd like us to ask the EFF about. My <I AM NOT A LAWYER> impression is that US persons can commit source code with wild abandon, but compiled code would require a BXA notification. </I AM NOT A LAWYER>. > I strongly suggest that someone on this project contact a team with >> similar concerns - for example, OpenSSL or OpenSSH, so we can leverage >> their experience, or we should talk to the EFF. I don't have strong >> personal contacts in those organizations, but perhaps someone else here >> does. >> > > Good idea. I've sent a few emails to the TAILS dev list, and support > list. They've already been very helpful. I'd love to have someone from > one of those groups involved. In any case, we at a minimum need someone in > a similar project who can help guide us. > > >> A non-anonymous international team developing strong cryptographic >> products for general use needs to tread carefully, in today's climate. >> > > In today's climate, it is more critical than ever to stand up for our > right to privacy. > > >> 3. Do we need to post a Warrant Canary? Do we need one for each team >> member? Should we add them to emails? Example at >> http://www.rsync.net/resources/notices/canary.txt >> > > Yes! It also has to be international and diverse enough for it to be > difficult for the NSA to silence the whole core dev team at once. > Normally, I think 3 devs might be the best number, but because of this > issue, I'm leaning more towards 5. > > Actually, it would be nice if everyone contributing had one. I'm attaching a first try to this letter. My main fear is that at some time I will forget to add it, make people worry. Peter -- At the time of writing the above letter, I, Peter Trei, am not under any personal legal compulsion regarding my participation in this project, nor have I been served any warrants, nor do I know of any search or seizure of my assets.