[1911] in Kerberos
Re: AS/TGS question and DES question
daemon@ATHENA.MIT.EDU (Edward A. Russell)
Wed May 20 00:35:46 1992
Date: 19 May 92 15:55:32 GMT
From: erussell@wang.com (Edward A. Russell)
To: kerberos@shelby.Stanford.EDU
jefff@alliance.UUCP (Jeff French) writes:
>I have been reading some papers/articles on Kerberos and there are a
>couple points on which I'm not clear. Would someone help me with the
>following?
> 1. What are the advantages of having an Authentication Server (AS)
> and Ticket-Granting Server (TGS) instead of having a single
> server that does the authentication and ticket granting?
The V4 implementation of Kerberos is built as a single task
incorporating (AS) and (TGS). There is a seperate server for remote
admin functions (e.g. adding a user).
> 2. I understand that encryption algorithms cannot be exported out of
> the USA, but does that also include binaries that perform the
> encryption? For example, if I have an application that uses DES
> encryption, may I legally send the application binaries to a
> person/company in Europe?
The following is an excerpt from the Export Policy GUIDELINES of DES
algorithms implemented in Hardware or Software.
"The DES alogrithm can be used in systems/products for authentication,
message INTEGRITY, access control (PIN and password), proprietary
software protection (decryption only) and automatic teller devices.
These DES-based applications are currently under Department of
Commerce jurisdicaiton"
In other words, it APPEARS, (read: unofficial, no liability to me, may
not stand up in court) that Kerberos CAN be exported (perhaps
requiring some permission from DOC) because it uses DES only to
encrypt/decrypt authentication messages. You could NOT export
something that used DES to encrypt/decrypt actual message
text.
--
* * ==================================================
^ # erussell@wang.com "Just a happy guy" #
\___/ ==================================================
