[1587] in Kerberos
Re: kerberos outside US
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Oct 3 20:41:31 1991
Date: Thu, 3 Oct 91 18:09:30 -0400
From: tytso@ATHENA.MIT.EDU (Theodore Ts'o)
To: pato@apollo.com
Cc: lecom@siihp1.epfl.ch ("Claude Lecommandeur SIC-SII"), kerberos@MIT.EDU
In-Reply-To: Joe Pato's message of Thu, 3 Oct 91 17:18:19 EDT,
Reply-To: tytso@athena.mit.edu
From: pato@apollo.com (Joe Pato)
Date: Thu, 3 Oct 91 17:18:19 EDT
No, the OSF DCE sources ARE exportable. The international edition
comes without DES (and substitutes a singularly weak replacement -
the identity function) and s fully functional when built (albeit
insecure). Foreign customers can then add any encryption algorithm
they choose.
The last time MIT tried to export Kerberos (V4, to Australia), merely
leaving out the encryption was not sufficient; we had to strip out all
of the _calls_ to the DES routines; we couldn't just replace the DES
routines with the identity function. (For Kerberos V4, we used a
program called "barracuda" which stripped out the appropriate subroutine
calls to produce "bones".) If you can find the appropriate barracuda to
tell you that your approach is O.K., and your company is willing to risk
incurring the wrath of the State and/or Commerce department, more power
to you!
- Ted
