[geekcrypt] Re: Introducing Peter Trei

  • From: Peter Trei <petertrei@xxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Thu, 12 Jun 2014 22:28:28 -0400

Getting back to you late - Ive been very busy lately.

My github name is:


I'm still setting up gpg keys - thinking about how to do it securely.


On Thu, Jun 5, 2014 at 10:30 PM, Stephen R Guglielmo <srguglielmo@xxxxxxxxx>

> On Thu, Jun 5, 2014 at 8:41 PM, Peter Trei <petertrei@xxxxxxxxx> wrote:
> > I've just joined the list.
> >
> > I hope to contribute as a developer and architect; I spent 10 years
> > developing cryptographic products at RSA Security, among other things.
> Welcome! Right now, development is on GitHub. I can give you rw access
> if you provide me with your username.
> > Have we cleared what want to do with a lawyer knowledgeable in the field?
> Yeah, this needs to happen. I did a tiny bit of research in the last
> hour and found some information on the subject. The more I read about
> it, the more important it becomes known to me that we need to give
> this careful thought and consideration. www.cryptolaw.org seems to
> have a lot of information.
> OpenBSD (and thus OpenSSH) are hosted (developed?) in Canada [1],
> however, as you mentioned, they have a legal entity backing the
> project. It seems that a significant number of countries have signed
> the Wassenaar Arrangement [2], which places restrictions on exports,
> including Canada (this confuses me a bit in the case of OpenBSD/SSH).
> The Wassenaar Arrangement limits the bit size of symmetric and
> asymmetric exports, but then allows a "personal use" exception (which,
> to me, could potentially lead to arbitrary and capricious legal
> decisions). I'm not sure if this affects just where the project is
> hosted/compiled, or where the developers reside, or both.
> Going off that website (which is probably a bit outdated), I compiled
> a list of countries that have *no* restrictions on cryptography
> export.
> -Mexico
> -Brazil (working on laws?)
> -Peru
> -Ghana
> -Kyrgyzstan
> -Malaysia (has some "decrypt during a legal search" laws)
> -Uruguay
> There are a few others, but they had some questionable comments/laws
> listed. That was just a quick summary of the information I found on
> the subject. A lawyer needs to be consulted though. I'm not sure how
> to go about doing that. Actually, I just googled "cryptography lawyer"
> and found a firm [3] that has offices in Philadephia and Wilmington
> (both cities are very close to me).
> [1] http://www.openbsd.org/crypto.html
> [2] http://www.cryptolaw.org/cls2.htm#Wassenaar
> [3] http://www.panitchlaw.com/
> > I strongly suggest that someone on this project contact a team with
> similar
> > concerns - for example, OpenSSL or OpenSSH, so we can leverage their
> > experience, or we should talk to the EFF. I don't have strong personal
> > contacts in those organizations, but perhaps someone else here does.
> >
> > A non-anonymous international team developing strong cryptographic
> products
> > for general use needs to tread carefully, in today's climate.
> >
> > 3. Do we need to post a Warrant Canary? Do we need one for each team
> member?
> > Should we add them to emails? Example at
> > http://www.rsync.net/resources/notices/canary.txt
> I think Warrant Canaries are essential for each of us. That was a
> constant source of any general mistrust towards TrueCrypt.
> > Peter Trei
> Nice to meet you Peter! And thank you!

Other related posts: