rotor replacement

[Paul Rubin]

Scott David Daniels <Scott.Daniels at Acm.Org> writes:
> I understand this to be true.  Since I am trying to address encryption
> in the zipfile module, and I know you actually follow a bit of the
> encryption stuff, can you answer a question or two for me?

Sure, I can try, so go ahead.  There's more crypto expertise in
sci.crypt though.

Zipfile encryption is totally incompatible with the rotor module, by
the way, and traditionally it didn't use AES.  There are a couple of
replacements for the traditional method that do use AES but that I
think are somewhat incompatible with each other.

>  > The Python maintainers didn't want to deal with imagined legal hassles
>  > that might develop from including good crypto functions in the
>  > distribution.  Then it became obvious that the same imagined hassles
> > could also befall the rotor module, so that was removed.
> 
> Are you saying these hassles are, in fact, imaginary rather than real?

Well, I didn't want to say that the hassles were real, but I wasn't
trying to insinuate quite as much as it may have sounded.  Like, I
don't drive my car at 100 mph on Main Street because I can imagine
what would happen and it's not pretty.  The imagined carnage is a good
enough reason not to drive that way.  However, I do feel that the
Python distributors are being over-cautious, see below.

> Is this because you feel python is over-cautious about the USA, or is
> this an opinion on "essentially all countries?"  This is not a quibble
> or a kvetch; I would like your understanding about the world legal
> state of dealing with encryption (which, I assure you, I won't take as
> definitive).  I would hate to think someone in, for example, the UAE,
> was busted for downloading or republishing python "out-of-the-box."

I think the Python maintainers were more concerned about that UAE
situation.  However, the most widely deployed encryption software is
the SSL stack in just about every web browser (MSIE, Firefox, etc.)
and I'm sure lots of people are using those browsers in the UAE.  The
Mozilla foundation isn't hestitating to ship the encryption as far as
I can tell.

See http://www.bxa.doc.gov/Encryption for the USA rules.  Basically
for a free encryption program on the web, you're supposed to notify
the Dept. of Commerce by sending them an email when you publish it,
telling them where they can get it (address is on that site).  As far
as anyone can tell, the DOC never does anything with those emails.
The rules are more complicated for nonpublished commercial programs,
crypto hardware, etc.

> Don't get me wrong, I'd love the answer to be "sure its fine," but my
> current plans are to provide a way to connect a crypto package to
> zipfile without providing any such package myself.

I'd say provide a package if you can, unless you have realistic
concern about getting in trouble.