[661] in Kerberos
Export of Kerberos
daemon@TELECOM.MIT.EDU (Jerome H Saltzer)
Thu Mar 9 10:42:47 1989
From: Jerome H Saltzer <jhs%computer-lab.cambridge.ac.uk@NSS.CS.UCL.AC.UK>
To: bcn@JUNE.CS.WASHINGTON.EDU
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Clifford Neuman's message of Sat, 4 Mar 89 07:23:26 PST <8903041523.AA14690@june.cs.washington.edu>
> Now, suppose we could convince this person to provide the same
> procedural interface to DES as we use with Kerberos. Could we then
> export a version of Kerberos without encryption, and tell the people
> that get that version to get the DES routines from Finland?
Cliff,
Unfortunately, we explored this path pretty thoroughly with the
lawyers. We didn't know about the Finnish (Finlandish?)
implementation, but we knew of implementations from Switzerland,
Germany, England, and Australia. The problem is that Kerberos with
the DES package omitted appears to fall into an equally tightly
controlled software export category called "ancillary encryption
control equipment".
The current export strategy includes reviving the PC implementation of
Kerberos with the goal of moving it into a newly-created category of
"software intended for a mass-market" or some name like that. Then it
might be possible to export it either with a non-DES algorithm or in a
form where someone else can add whatever encryption they like.
Meanwhile, a temporary export expedient is to go through the source
and remove the calls to the encryption library completely, thereby
turning it into ordinary software for purposes of export. Although
that approach emasculates the security, it at least preserves all the
interfaces so that the rest of the Athena system doesn't have to be
tinkered with as part of initial export projects.
Jerry
