Security question including SSL and JCE.

Jason von Nieda (jason@vonnieda.org)
Tue, 29 Dec 1998 18:08:06 -0600

Dear Security Team,

My name is Jason von Nieda and I am currently implementing
SSL v3 in Java. My aim is to create a freely exportable library with
hooks to the JCE for crypto implementations. Recent readings make
it sound like this may not be possible, so I have a few questions.
First, if I write software that uses the JCE (imports javax.crypto)
but does not contain any crypto code, does my code fall under the same
export restrictions as the JCE itself.
Secondly, I would like to follow the posted SSL API (javax.net.ssl)
but it seems to be getting a bit dated. Is this API going to be
continued or is it dead? I notice some of the methods specify
packages that are now part of JDK 1.2, so I assume it needs to
be updated to reflect that. My primary concern is whether or not
this API will ever make it out of Early Access?
Lastly, while not exactly Java related, could you point me to
a site or two that has a description of the current crypto
export laws? I have looked and cannot find anything that defines
in concrete what the laws on API export are.
If you are interested in the SSL implementation, please have a
look at: http://www.vonnieda.org/jSSL

Thank you in advance for your time and effort. Have a great day!

-- 
    Jason von Nieda       | "We can count on the fact
 http://www.vonnieda.org  |  that the spread of strong
mailto:jason@vonnieda.org |  encryption is going to mean
PGP Key available on req. |  that lives are going to be lost"
  BlinkenLts on AOL IM    |  -- Yet another clueless moron.