This is the mail archive of the
ecos-discuss@sources.redhat.com
mailing list for the eCos project.
Re: Protecting RedBoot in the field
- From: Gary Thomas <gthomas at ecoscentric dot com>
- To: Jonathan Larmour <jifl at eCosCentric dot com>
- Cc: Andrew Lunn <andrew dot lunn at ascom dot ch>,eCos Disuss <ecos-discuss at sources dot redhat dot com>
- Date: 05 Nov 2002 07:33:50 -0700
- Subject: Re: [ECOS] Protecting RedBoot in the field
- References: <20021028103111.GV16433@biferten.ma.tech.ascom.ch> <1035817982.1938.357.camel@hermes.chez-thomas.org> <20021028151738.GB16433@biferten.ma.tech.ascom.ch><1035818612.1938.402.camel@hermes.chez-thomas.org> <3DC759CD.1060803@eCosCentric.com>
On Mon, 2002-11-04 at 22:40, Jonathan Larmour wrote:
> Gary Thomas wrote:
> > On Mon, 2002-10-28 at 08:17, Andrew Lunn wrote:
> >
> >>>That said, I think a password (stored in 'fconfig') would be a
> >>>great addition.
> >>
> >>I wondered about encrypting the passwd so its not plain text. But does
> >>that get is into US export regulation problems? Is crypt(3) still
> >>under restrictions? Can anybody suggest an alternative?
> >
> >
> > The restrictions on most simple algorithms (IIRC less than 56 bit
> > keys) have been lifted for a couple of years.
>
> Alas it isn't as simple as that: there are different regulations depending
> on the nature of the thing containing encryption and key length among
> other things. In summary, you can be granted an export licence for freely
> downloadable software fairly readily, but each submission requires a
> submission to the US BXA. Any times the encryption code is modified a new
> application is required. Who knows what happens with download mirror sites.
>
> Note that things would become more difficult for commercial
> redistributors/vendors of eCos (especially with the GPL involved) if stuff
> like OpenSSL was properly integrated. It would no longer have the
> exemptions associated with being "freely available", primarily the onerous
> post-export reporting ones.
>
> After a google, this is the best summary of the current status I could find:
> http://www.fas.org/irp/news/2000/01/000113-crypto-bxa.htm
>
> That's why (unfortunately) OpenSSL is best left distributed only in the
> Free world.
The way I read it, code which was derived from open source is
exempt, period. Look at TSU -- §§740.13(e) on this page:
http://www.bxa.doc.gov/Encryption/lechart1.htm
straight from the BXA themselves.
--
------------------------------------------------------------
Gary Thomas |
eCosCentric, Ltd. |
+1 (970) 229-1963 | eCos & RedBoot experts
gthomas@ecoscentric.com |
http://www.ecoscentric.com/ |
------------------------------------------------------------
--
Before posting, please read the FAQ: http://sources.redhat.com/fom/ecos
and search the list archive: http://sources.redhat.com/ml/ecos-discuss