[7002] in Kerberos
Re: kerberos security
daemon@ATHENA.MIT.EDU (Joe Kovara)
Wed Apr 3 16:54:13 1996
To: kerberos@MIT.EDU
Date: Wed, 03 Apr 1996 04:32:36 GMT
From: joek@CyberSafe.com (Joe Kovara)
hartmans@MIT.EDU (Sam Hartman) wrote:
> Unfortunately, MIT's Kerberos5 cannot be exported from the
>United States. You will have to wait for someone to implement
>Kerberos5 outside the US in order to get a legal copy.
We (CyberSafe) export U.S. implemented versions of Kerberos (as well
as the GSSAPI), under both State and Commerce Department jurisdiction.
Full-strength Kerberos is allowed for export to approved countries for
use by a financial institution for financial applications or certain
government agencies (under State jurisdiction). A generally
exportable Commerce jurisdiction version requires eliminating
user-data encryption, or weakening it to a level acceptable to the
NSA; full-strength crypto is allowed for Commerce jurisdiction
versions if used only for authentication.
Triple DES is a different animal--"under no conditions" sums it up.
We are waiting for clarification on whether triple DES is generally
exportable if used for authentication only (yes, it should be, but we
never assume).
There are several variations of these themes depending on: the
application; who controls the application; the company and country to
which the application is shipped; and the accessibility of certain
application capabilities.
DISCLAIMER: This is *NOT* a legal reading. All crypto exports from
the U.S. require a license of some sort, be it from Commerce or State.
Consult an attorney. Do not try this at home. Your mileage *will*
vary.
Joe Kovara / Director of Engineering / CyberSafe Corp.
1605 NW Sammamish Road, Suite 310 / Issaquah, WA 98027
joek@cybersafe.com / 206-391-6000 (phone) / 206-391-0508 (fax)
