[745] in Kerberos
Re: Change in Export Rules
daemon@TELECOM.MIT.EDU (Jerry Saltzer)
Fri Jun 23 00:56:12 1989
From: Saltzer@PTT.LCS.MIT.EDU (Jerry Saltzer)
To: kerberos@ATHENA.MIT.EDU
Lyndon Nerenberg asks,
Would the US gov't object if the Kerberos distribution was made
available for export *without* the libdes directory (well, keep
the documentation)? That would leave it up to the end user to
implement their own DES replacement, such as the one recently
posted to comp.sources.unix.
Douglas P. Kingston says:
I assume that you are aware that there are public domain versions of
DES outside the US (in particular I believe versions have been written
in Australia, Finland and The Netherlands). Could Kerberos not be
distributed sans the encryption routines (like Unix) and have the
foreign obtain or write compatable routines. All you would need to do
is publish the library interface.
And Bill Sommerfeld comments:
Given that there's already a foreign (Finnish) version of DES with an
interface similar to the Athena DES (it looks like the original
intention was that it be plug-compatible), this doesn't sound like a
big problem.
We can merely distribute Kerberos source without DES, and let other
people find the DES library on their own...
These three comments make a good point in light of the reported rule
change. Unfortunately, the result isn't completely clear.
The path of exporting Kerberos by omitting the DES library was
explored in some depth last summer and fall. The analysis on this
approach is especially baroque, but the essence is that there are at
least two relevant categories of objects on which the State Department
likes to maintain tight control: "encryption devices" and "ancillary
encryption control devices". (Don't puzzle too long over the
inclusion of software in a category labeled "devices". What matters
is the definition of the category, not its label.) The DES library
falls clearly into the first category, and the rest of Kerberos
appears to fall into the second. By "appears", I mean that neither
the Digital, the IBM, nor the M.I.T. lawyer was willing to go to bat
for any other interpretation.
On that basis, and following some fairly clear precedents, we
concluded that (1) simply omitting the DES library wasn't enough to
allow license-free export of the rest of the system, and (2) if a
version of Kerberos were created that actually omitted the calls to
the DES library, those sources would be exportable without the special
State Department license. (The line of reasoning here seems to be
that one must be very knowledgeable to put the calls back in in all
the right places.)
It will take some detailed study of the new rules (and perhaps some
conversations with the people who created them) to see if a
consequence of the rule change is that the Kerberos sources, since
they constitute an authentication system, no longer have to be
classified as an ancillary encryption controlling device. If so, then
not only could binary versions of a slightly-limited Kerberos
subsystem be exported, as I suggested yesterday, but most of the
sources could be exported, too. Certainly this approach would allow
our university colleagues outside the U.S. to make some progress.
The possibility is sufficiently interesting that it is certainly worth
pursuing.
Jerry Saltzer
