[geekcrypt] Re: Introducing Peter Trei
- From: Peter Trei <petertrei@xxxxxxxxx>
- To: geekcrypt@xxxxxxxxxxxxx
- Date: Thu, 5 Jun 2014 23:02:05 -0400
On Thu, Jun 5, 2014 at 10:31 PM, Bill Cox <waywardgeek@xxxxxxxxx> wrote:
> Hi, Peter, and welcome!
>
> On Thu, Jun 5, 2014 at 8:41 PM, Peter Trei <petertrei@xxxxxxxxx> wrote:
>
>> I've just joined the list.
>>
>> I hope to contribute as a developer and architect; I spent 10 years
>> developing cryptographic products at RSA Security, among other things.
>>
>> I'm also responsible for the Symmetric Key Challenges RSA posted from
>> 1996 on, which contributed to the relaxation of export regulations around
>> 2000. Back then, ITAR placed draconian regulations on export of binaries,
>> code, and even knowledge; and 'export' could be something as simple as a
>> chat over beer. Things are much better now.
>>
>
> That's a truly outstanding background! Also, thank you for helping defeat
> the Clipper Chip and 32-bit limits on browser keys! The world economy owes
> a ton to our ability to make semi-secure online transactions, not to
> mention at least some safeguards on privacy.
>
> I have suggested that PID0 and Frank belong before me on the list of core
> devs, and it sounds like you do to. If we get enough world-class
> crypto-geeks involved, I will be happy to step down to the level of
> non-core contributor.
>
It's far from clear how much time I can devote to the project, I'd rather
be down in the weeds, and take on tasks as needed.
I'm very happy with the open and transparent principles at ciphershed.org.
>> In this kind of project, accountability creates confidence. But it also
>> creates responsibility.
>>
>> ...which leads me to my first question...
>>
>> Have we cleared what want to do with a lawyer knowledgeable in the field?
>> There are three main concerns I have, and one minor one. They may be
>> nothing, but...
>>
>
> Getting lawyers involved is generally a bad idea in my experience. Just
> talk to your friends to got separate lawyers for a divorce versus the ones
> who just went to mediation. The current silence from truecrypt.ch is
> likely due to having talked to lawyers. What truecrypt.ch should
> *really* be worried about is their trademark violation.
>
My hope is that we can get some free help from the legal team at EFF. I'd
hate to see any of us wind up in court over an EAR violation.
> In any case, there are two ongoing popular forks: RealCrypt and
> VeraCrypt. We're just a 3rd fork. No one gets sued in the US for working
> on non-profit open source crypto anymore, and it sounds like we have to
> thank your for that!
>
> I AM NOT A LAWYER
>>
>> 1. Licensing. According to Wikipedia, a company called SecurStar claims
>> IP in at least some of the early source code. Has this been investigated?
>>
>
> They never sued before. Why worry now?
>
> 2. Export regulations. US EAR regulations require entities exporting
>> cryptography - even free public domain source code - to register with BXA
>> and report exports. This may require setting up a foundation or something,
>> to create a legal nexus.
>
> See
>>
>>
>> http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
>>
>
> TrueCrypt fork will be imported, rather than exported. If someone in the
> US government wants to explain why I am not allowed to contribute to a
> Swiss based crypto FOSS project, I'd love to hear it. That sounds like a
> freedom worth defending.
>
I suggest you look at the Bernstein and Junger cases. While they came out
favorably for crypto rights, there are still rules in place.
I think we can wait for BXA to ask for notification. Given that all our
> git commits on github will be public, I'm sure it's simpler for them to
> simply notice commits rather than bothering to even talk to us. I haven't
> heard a word from them about all my Tinycrypt commits on SourceForge.
>
That's what I'd like us to ask the EFF about. My <I AM NOT A LAWYER>
impression is that US persons can commit source code with wild abandon, but
compiled code would require a BXA notification. </I AM NOT A LAWYER>.
> I strongly suggest that someone on this project contact a team with
>> similar concerns - for example, OpenSSL or OpenSSH, so we can leverage
>> their experience, or we should talk to the EFF. I don't have strong
>> personal contacts in those organizations, but perhaps someone else here
>> does.
>>
>
> Good idea. I've sent a few emails to the TAILS dev list, and support
> list. They've already been very helpful. I'd love to have someone from
> one of those groups involved. In any case, we at a minimum need someone in
> a similar project who can help guide us.
>
>
>> A non-anonymous international team developing strong cryptographic
>> products for general use needs to tread carefully, in today's climate.
>>
>
> In today's climate, it is more critical than ever to stand up for our
> right to privacy.
>
>
>> 3. Do we need to post a Warrant Canary? Do we need one for each team
>> member? Should we add them to emails? Example at
>> http://www.rsync.net/resources/notices/canary.txt
>>
>
> Yes! It also has to be international and diverse enough for it to be
> difficult for the NSA to silence the whole core dev team at once.
> Normally, I think 3 devs might be the best number, but because of this
> issue, I'm leaning more towards 5.
>
> Actually, it would be nice if everyone contributing had one. I'm
attaching a first try to this letter. My main fear is that at some time I
will forget to add it, make people worry.
Peter
--
At the time of writing the above letter,
I, Peter Trei, am not under any personal legal compulsion
regarding my participation in this project, nor have I been
served any warrants, nor do I know of any search or seizure
of my assets.
Other related posts:
