[Openswan Users] openbsd ipsec backdoor rumors

Michael H. Warfield mhw at WittsEnd.com
Tue Dec 14 21:01:34 EST 2010

On Tue, 2010-12-14 at 20:40 -0500, Paul Wouters wrote: 
> On Tue, 14 Dec 2010, Michael H. Warfield wrote:
> > According to John Gilmore's post years ago, it looks like FreeS/WAN 1.0
> > was released back in April of 1999 which probably predated the BSD stack
> > but it's unclear from Theo's post if he is saying the contributions were
> > made in 2000-2001 or that their first release was.
> Angelos, the person who started the freeswan work went to work on openbsd
> ipsec work afterwards.
> > In April 1999, we released version 1.00 of the software
> Hugh Redelmeier also told me version 0.5 already worked pretty well (IKE+ESP)
> Too bad xs4all didnt keep the old files. I guess I should find the old
> releases and add them to http://www.freeswan.org/freeswan_trees/
> > FreeS/WAN could not be incorporated into Linux due to export
> > restrictions on the US based mirrors and servers.

> It was the "no US citizens can touch this" that prevented integration into
> linux (kerneli.org, hosted outside the US). FreeS/WAN was never made within
> the US, so there was no export restriction issue (at least until Canada &
> Holland signed the Wassenaar Agreement)

Yes and no.  Canada (FreeS/WAN) had (has) this peculiar treaty with the
US that basically said that Canadian exports were restricted by US
regulations if they entailed US imports.  So, according to Hugh and John
and others, if they accepted any code into FreeS/WAN from a US
contributor then, according to Canadian law, export of FreeS/WAN from
Canada would be subsequently subject to US export restrictions.  Thus
the restrictions on my contributions.  We went round and round about
that several times.  Even though, I had contributed to SSH and authored
the original SSL code in fetchmail that was published on Eric Raymond's
US site, it didn't matter to them.  My code, even a patch, would taint
their code and subject them to US export restrictions from Canada.  I
HATE to say this but the collapse of the FreeS/WAN project and its
evolution into the Openswan and StrongSWAN forks, along with the
inclusion of the IPSec code into the Linux kernel with the relaxation of
the EAR regulations, was a very welcome development to me.  They made
great contributions but time moved on.

You are correct, though.  The kerneli.org project was hosted in Europe
and NOT subject to ITAR / EAR regulations or the restrictions of
Canadian / US treaties, but still, Linus stated emphatically that he
could not incorporate that crypto code into the mainstream kernel under
the regulatory restrictions that then existed.  The primary Linux
repository at the time was US based and he stated several times he would
not risk it.  The two of us had discussions of this back then and I was
privy to some of the regulatory changes before they were made public
back in 2000.  Didn't make any difference knowing what was coming.

> Paul

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20101214/c59fd14f/attachment-0001.bin 

More information about the Users mailing list