[3360] in Kerberos
Re: Kerberos-5 worldwide -- it's possible
daemon@ATHENA.MIT.EDU (John Gilmore)
Wed Jun 1 21:03:51 1994
To: kerberos@MIT.EDU, network-security@cygnus.com, bede@scotty.mitre.org
Cc: tony@sodalia.it, ccslsn@midge.bath.ac.uk
In-Reply-To: Your message of "Wed, 01 Jun 1994 19:38:29 EDT."
<199406012338.TAA24899@scotty.mitre.org>
Date: Wed, 01 Jun 1994 17:52:50 -0700
From: John Gilmore <gnu@cygnus.com>
> MIT's crypto-free "bones" V4 distribution has been available for
> unrestricted export for several years. I've looked at the online
> material you mention and I'm afraid I still don't clearly understand
> what you and/or Cygnus actually accomplished that's new, . . .
>
> There are no US export restrictions that I am aware of on non-crypto
> software . . . Hence, your request for either US State or Commerce
> Department permission to distribute V4 "bones" at this point, and the
> implication that this is a required action, seems to just muddy the
> waters.
It is not required that you get formal permission from the State Dept.
or the Commerce Dept. before exporting non-cryptographic software.
However, the penalties for mistakes are severe -- including 10-year
jail terms -- so prudence is advisable.
Cygnus ships its other products worldwide without worrying about
export issues; mistakes there are unlikely. But when it comes to
software that *used to be* embargoed crypto software -- the K4 "Bones"
-- we thought it prudent to get official notification from the
government that the "Bones" were exportable. You-all and I realize
that the intent of the Bones was to make exportable software; the
question was whether that intent had been realized, to the
satisfaction of the government. The "new" work that Cygnus
accomplished was to verify that the intent *was* realized.
Personally I would not attempt to export a "sanitized" K5 without
getting explicit, official adjudication that it was not embargoed. If
a question ever came up later, it would be VERY handy to show those
documents to a judge, rather than basing your defense on the "But I
thought the law said..." model.
The whole of Kerberos itself is fully exportable if you read the rules
in a certain way; it does authentication, authentication is not
controlled by the State Dept, and the Commerce Dept allows publicly
available software of any kind to be exported. There'd be no need for
the Bones at all. But what exactly is authentication and when does it
stretch into information hiding? Does sending a change_password
request using mk_priv constitute authentication, since the privacy
only extends to the authentication information? Does the existence of
lower level DES routines in the source code scotch any attempt to
export source code? Only the government knows for sure -- and the way
we find out what it officially thinks is by submitting CJ requests.
(If you do this, send me email and I'll add the CJ and response to the
crypto export archives.)
The NSA interest is actually served by having uncertainty regarding
crypto export -- it will encourage cautious people to not even try,
and will encourage incautious fools to step way over the line so they
can be skewered to publicize the controls. In this way, NSA can exert
a larger actual control than the Constitution, laws, and regulations
theoretically permit. (I have Justice Dept. legal documents, obtained
under FOIA, that show that the Office of Legal Counsel there believes
that the export laws are unconstitutional as applied to technical data
-- including software -- which is protected under the First Amendment.)
It is in *our* interest as a society to have this uncertainty be
resolved -- by asking the questions, publishing the official results,
and publicly questioning the strange results (like the software that's
exportable on paper but not on floppy). Then people who desire to
live within the law will know what is allowed and what is not allowed.
I agree that protracted discussion of crypto export should move to
a more appropriate forum -- perhaps comp.org.eff.talk. Further
discussion of K4 and K5 export should stay here in kerberos@mit.edu
or comp.protocols.kerberos.
John Gilmore
