Getting back to you late - Ive been very busy lately. My github name is: petertrei I'm still setting up gpg keys - thinking about how to do it securely. Peter On Thu, Jun 5, 2014 at 10:30 PM, Stephen R Guglielmo <srguglielmo@xxxxxxxxx> wrote: > On Thu, Jun 5, 2014 at 8:41 PM, Peter Trei <petertrei@xxxxxxxxx> wrote: > > I've just joined the list. > > > > I hope to contribute as a developer and architect; I spent 10 years > > developing cryptographic products at RSA Security, among other things. > > Welcome! Right now, development is on GitHub. I can give you rw access > if you provide me with your username. > > > Have we cleared what want to do with a lawyer knowledgeable in the field? > > Yeah, this needs to happen. I did a tiny bit of research in the last > hour and found some information on the subject. The more I read about > it, the more important it becomes known to me that we need to give > this careful thought and consideration. www.cryptolaw.org seems to > have a lot of information. > > OpenBSD (and thus OpenSSH) are hosted (developed?) in Canada [1], > however, as you mentioned, they have a legal entity backing the > project. It seems that a significant number of countries have signed > the Wassenaar Arrangement [2], which places restrictions on exports, > including Canada (this confuses me a bit in the case of OpenBSD/SSH). > The Wassenaar Arrangement limits the bit size of symmetric and > asymmetric exports, but then allows a "personal use" exception (which, > to me, could potentially lead to arbitrary and capricious legal > decisions). I'm not sure if this affects just where the project is > hosted/compiled, or where the developers reside, or both. > > Going off that website (which is probably a bit outdated), I compiled > a list of countries that have *no* restrictions on cryptography > export. > -Mexico > -Brazil (working on laws?) > -Peru > -Ghana > -Kyrgyzstan > -Malaysia (has some "decrypt during a legal search" laws) > -Uruguay > > There are a few others, but they had some questionable comments/laws > listed. That was just a quick summary of the information I found on > the subject. A lawyer needs to be consulted though. I'm not sure how > to go about doing that. Actually, I just googled "cryptography lawyer" > and found a firm [3] that has offices in Philadephia and Wilmington > (both cities are very close to me). > > [1] http://www.openbsd.org/crypto.html > [2] http://www.cryptolaw.org/cls2.htm#Wassenaar > [3] http://www.panitchlaw.com/ > > > I strongly suggest that someone on this project contact a team with > similar > > concerns - for example, OpenSSL or OpenSSH, so we can leverage their > > experience, or we should talk to the EFF. I don't have strong personal > > contacts in those organizations, but perhaps someone else here does. > > > > A non-anonymous international team developing strong cryptographic > products > > for general use needs to tread carefully, in today's climate. > > > > 3. Do we need to post a Warrant Canary? Do we need one for each team > member? > > Should we add them to emails? Example at > > http://www.rsync.net/resources/notices/canary.txt > > I think Warrant Canaries are essential for each of us. That was a > constant source of any general mistrust towards TrueCrypt. > > > Peter Trei > > Nice to meet you Peter! And thank you! > >