[2857] in Kerberos
RE: export question
daemon@ATHENA.MIT.EDU (Dan Lanciani)
Tue Oct 12 21:22:44 1993
Date: Tue, 12 Oct 93 21:07:37 EDT
From: ddl@das.harvard.edu (Dan Lanciani)
To: kerberos@MIT.EDU
|It is true that Digital received export
|approval to ship a hobbled version of Kerberos V4 that had user data
|encryption removed.
I've seen this stated before, but every time I try to pin it down I
find a slightly different story. Can you expand on exactly what kind
of approval Digital got and from whom? My minimal understanding of
the export license system is that there are several general licenses
under which you can export by meeting certain requirements. You can
get advice from consultants or (I assume) the government itself to
clarify fine points about whether you meet the requirements, but you
are still ultimately using a general license (e.g., GDEST) to perform
the export. The concept of approval doesn't seem to enter into it.
If you can't use a general license then there are only two other choices:
individual validated licenses per export and a self-audit system for
high-volume shipments. The latter is really just a special case of the
former in a sense as it still doesn't let you make your own decisions.
There seems to be no concept of getting an individual license for a
given *product* as opposed to a specific export event.
|Someone else asking the same
|question might have gotten a different answer.
A rather disturbing notion :(
|We might have gotten a
|different answer had we asked on a different day. I claim it is
|impossible to accurately predict what will be acceptable and what will
|not.
Again, I'd really be interested to know who is giving these answers. From
other conversations, I suspect that what happened was that DEC in consultation
with appropriate legal and export advisors determined that their product
fell under one of the general export licenses. Undoubtedly DEC did enough
research and asked enough questions (possibly even to the point of directly
asking the appropriate government entity whether it would attempt to
prosecute) to convince themselves that their analysis was reasonable. But
I think there is a subtle difference between convincing yourself of the
correctness of your interpretation and actually getting ``approval.'' A
company smaller than DEC and willing to take more risk might make such
exports without doing the same extensive research. Now, granted, if
that company asked the opinion of a government entity and was told ``No.''
then they might be foolish to proceed. If the answer was ``We don't have
time to answer this for a little company who isn't DEC.'', though, that
company might not want to give up: the opinion of private export consultants
counts for something and might be enough for the stockholders to take the
risk.
On the other hand, if indeed there is some form of product-export-license
I'd really like to get more information about the application process and
about how it interacts with the other categories of general and per-export
licenses. If such a license doesn't exist then you can't be doing anything
wrong by failing to get one (or can you) :)
Dan Lanciani
ddl@harvard.edu
