View Single Post
Old 20th December 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

There are two assumptive errors I noted in that article, Oliver:
  1. That US developers traveled to Canada to develop crypto code
  2. That there was release-date pressure
#1: US developers and crypto

It is true that cryptographic logic was classed as a "munition" and treated as such by the US Department of State under International Traffic in Arms Regulations (ITAR). Under ITAR, US citizens, or non-US citizens working for US-owned companies are disallowed the export of munitions without permission from the Department. Those who do not follow ITAR can find themselves charged with violating the Arms Export Control Act.

This "export" can be defined as any disclosure of any information -- including when attending seminars and meetings outside the US. That the information can already be public (such as found on the Internet) has no bearing on the export. The State Department can find, if they like, the combination of two public documents constitutes a "teaching" and therefore an export of munititions technology.

Theo has already emphatically articulated, publicly and in writing, the constraints under which crypto code was developed. No US citizens or non-US citizens employed by US companies worked on the crypto code development. I'm thinking this was published by eWeek or InformationWeek or some other IT journal when the story broke last week, but I cannot find the reference at the moment. I'll look for it when I have time later this week, unless someone else posts a reference to it here sooner.

#2 Release data pressures

The OpenBSD release cycle is twice yearly. But there is no significant pressure to complete a particular development in time for this cycle. If code is not ready, by in large, it does not go in. Development is conducted in -current, for approximately four months. Then development is intentionally slowed for two months, during which the code is tested heavily, and a release produced. Release dates are flexible, to a degree, and when code is expected but is a little late, releases have been held in order to complete the development. But by-in-large, the project strives for quality over functionality as a culture.
Reply With Quote