[3362] in Kerberos
Re: DES export to Europe (in DCE).
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Thu Jun 2 12:08:26 1994
Date: Thu, 2 Jun 1994 11:50:28 -0400
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
To: mvbr@god.bel.alcatel.be
Cc: kerberos@MIT.EDU
In-Reply-To: <2ska0p$eeh@btmplq.god.bel.alcatel.be> (mvbr@btma06.god.bel.alcatel.be)
I won't speak for other vendors, but here's what HP does:
We ship two versions of DCE in object code form:
- "Domestic", not for export, which includes full functionality.
- "International", which is for export and does not provide
programmer access to encryption entry points.
Both versions use "full strength" 56-bit DES; the only difference is
that the export version disables all DCE entry points & options which
provide for user data privacy (this, alas, includes most of the krb5
calls since many of them can be trivially tweaked into becoming
encryption engines)
Full strength DES encryption is used for protecting password changes
in both the international and domestic versions.
OSF's source product is also in two versions; a domestic version
containing all the code, and an international version which has (among
other things) the encryption algorithms replaced by NOOP functions.
The code is *not* gutted to the same extent as Bones.
- Bill
