[geekcrypt] Re: Introducing Peter Trei

  • From: Niklas Lemcke - 林樂寬 <compul@xxxxxxxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Fri, 6 Jun 2014 09:06:24 +0800

On Thu, 5 Jun 2014 20:41:58 -0400
Peter Trei <petertrei@xxxxxxxxx> wrote:

> I've just joined the list.

Welcome :) It's nice to see experts joining here!
> I hope to contribute as a developer and architect; I spent 10 years
> developing cryptographic products at RSA Security, among other things.
> I'm also responsible for the Symmetric Key Challenges RSA posted from 1996
> on, which contributed to the relaxation of export regulations around 2000.
> Back then, ITAR placed draconian regulations on export of binaries, code,
> and even knowledge; and 'export' could be something as simple as a chat
> over beer. Things are much better now.
> I'm very happy with the open and transparent principles at ciphershed.org.
> In this kind of project, accountability creates confidence. But it also
> creates responsibility.
> ...which leads me to my first question...
> Have we cleared what want to do with a lawyer knowledgeable in the field?
> There are three main concerns I have, and one minor one.  They may be
> nothing, but...
> 1. Licensing. According to Wikipedia, a company called SecurStar claims IP
> in at least some of the early source code. Has this been investigated?

It's been mentioned that it has to be investigated..

> 2. Export regulations. US EAR regulations require entities exporting
> cryptography - even free public domain source code - to register with BXA
> and report exports. This may require setting up a foundation or something,
> to create a legal nexus.

How do export regulations from the US apply, if--say--the code is being
published outside the US, by non-US individuals? We had thought about
moving away from GitHub because it is hosted in the US. I know a couple
of (patent) lawyers, but only one with potential experience in US law.
And that one is expensive. :P

> See
> http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
> Selling compiled crypto SW for money adds in a lot more regulations, btw.
> The Truecrypt.ch folk should think about that.
> Things used be a great deal stricter (this project would have been flat out
> illegal prior to 2000), but I find still myself concerned (hopefully
> without cause) at the notion of an international team of both US and non-US
> citizens and residents collaborating in this manner on a crypto package.
> There may be *nothing* wrong, so long as, (for example) we don't have a
> member in China or Russia. But I'd sleep easier knowing we checked whether
> (for example) every git commit needed a notification to BXA (they could be
> automated, btw).
> I strongly suggest that someone on this project contact a team with similar
> concerns - for example, OpenSSL or OpenSSH, so we can leverage their
> experience, or we should talk to the EFF. I don't have strong personal
> contacts in those organizations, but perhaps someone else here does.

Agree, should be done within the next days to get it out of the way.

> A non-anonymous international team developing strong cryptographic products
> for general use needs to tread carefully, in today's climate.
> 3. Do we need to post a Warrant Canary? Do we need one for each team
> member? Should we add them to emails? Example at
> http://www.rsync.net/resources/notices/canary.txt

I would strongly suggest we do so! If no other idea comes up, I will
incorporate it in my mails today. I prefer it over a website-one, since
it's decentralized.

> 4. I *hate* the name FalseCrypt; and GeekCrypt isn't much better. How about
> WorldCrypt?

For now we settled for CipherShed, where you can reach the projects
website since a few hours. Everyone liked that name, and thus we
decided to use it (if just for now), so we can get down to the
nitty-gritty. :)

> Can we settle this, so we can get back to coding?
> Peter Trei


Niklas Lemcke - 林樂寬

Other related posts: