[ntp:questions] Re: exporting NTP from the US

David L. Mills mills at udel.edu
Thu Mar 30 18:03:24 UTC 2006


Terje,

Add this to your bag of silly stories.

I had heard of a professor at a California university that was 
threatened with prosecution because there were Chinese nationals in his 
class on cyrptographic algorithms. I put this issue to my DARPA program 
manager and asked for official clarification, as I also have Chinese 
nationals in my class on computer security. The <official> answer was 
this was okay as long as the Chinese nationals "took no documents or 
notes upon returning to China." The DARPA official even managed to say 
that with a straight face.

Times have changed. Thirty years ago it was illegal to encrypt anything 
in Germany.

Dave

Terje Mathisen wrote:
> alan.kiecker wrote:
> 
>> Thanks, Harlan.
>>
>> We are planning on using the NTP package that Meinberg has available
>> for Windows.  Many of our customers isolate their private networks from
>> the Internet making it difficult for them to download the package so we
>> are planning on making it available to them on our own release media.
>> This in effect would make us an exporter, and consequently my
>> questions.
> 
> 
> Ouch!
> 
>>
>> The package as downloaded from Meinberg includes both the SSLeay32.dll
>> and libeay32.dll libraries.  The following FAQ
>>
>> http://www.columbia.edu/~ariel/ssleay/ssleay-legal-faq.html
>>
>> mentions some ITAR issues concerning SSL but does not really go into
>> details.  I am assuming that these two libraries, which are used by
>> NTP, contain the encryption algorithms that are of concern.  Since the
>> API of these libraries is well documented on the Internet, anyone would
>> be able to make use of the encryption algorithms once they have the
>> libraries.
>>
>> Any advice would be appreciated.
> 
> 
> My considered advice is this:
> 
> Simply forget about it!
> 
> The source code is freely available, everywhere, including those states 
> that the US classified as 'The Axis of Evil' once upon a time, and so 
> are compilers capable of regenerating the binaries.
> 
> At this point the theoretical possibility of using Unisys media as way 
> to get access to SSL libraries, and then use them for terrorist activity 
> seems quite farfetched to me.
> 
> Terje
> 
> OTOH, I'm not a US citizen, so I'm not bound by what I consider to be a 
> particularly stupid US law. :-)
> 
>>
>> Thanks.
>>
>> -- al
>>
> 
> 




More information about the questions mailing list