Path: utzoo!attcan!uunet!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!pasteur!agate!shelby!ALLSPICE.LCS.MIT.EDU!Saltzer From: Saltzer@ALLSPICE.LCS.MIT.EDU (Jerry Saltzer) Newsgroups: comp.protocols.kerberos Subject: Re: Change in Export Rules Message-ID: <8906230453.AA21081@PTT.LCS.MIT.EDU> Date: 23 Jun 89 04:53:49 GMT Sender: daemon@shelby.Stanford.EDU Organization: The Internet Lines: 66 Lyndon Nerenberg asks, Would the US gov't object if the Kerberos distribution was made available for export *without* the libdes directory (well, keep the documentation)? That would leave it up to the end user to implement their own DES replacement, such as the one recently posted to comp.sources.unix. Douglas P. Kingston says: I assume that you are aware that there are public domain versions of DES outside the US (in particular I believe versions have been written in Australia, Finland and The Netherlands). Could Kerberos not be distributed sans the encryption routines (like Unix) and have the foreign obtain or write compatable routines. All you would need to do is publish the library interface. And Bill Sommerfeld comments: Given that there's already a foreign (Finnish) version of DES with an interface similar to the Athena DES (it looks like the original intention was that it be plug-compatible), this doesn't sound like a big problem. We can merely distribute Kerberos source without DES, and let other people find the DES library on their own... These three comments make a good point in light of the reported rule change. Unfortunately, the result isn't completely clear. The path of exporting Kerberos by omitting the DES library was explored in some depth last summer and fall. The analysis on this approach is especially baroque, but the essence is that there are at least two relevant categories of objects on which the State Department likes to maintain tight control: "encryption devices" and "ancillary encryption control devices". (Don't puzzle too long over the inclusion of software in a category labeled "devices". What matters is the definition of the category, not its label.) The DES library falls clearly into the first category, and the rest of Kerberos appears to fall into the second. By "appears", I mean that neither the Digital, the IBM, nor the M.I.T. lawyer was willing to go to bat for any other interpretation. On that basis, and following some fairly clear precedents, we concluded that (1) simply omitting the DES library wasn't enough to allow license-free export of the rest of the system, and (2) if a version of Kerberos were created that actually omitted the calls to the DES library, those sources would be exportable without the special State Department license. (The line of reasoning here seems to be that one must be very knowledgeable to put the calls back in in all the right places.) It will take some detailed study of the new rules (and perhaps some conversations with the people who created them) to see if a consequence of the rule change is that the Kerberos sources, since they constitute an authentication system, no longer have to be classified as an ancillary encryption controlling device. If so, then not only could binary versions of a slightly-limited Kerberos subsystem be exported, as I suggested yesterday, but most of the sources could be exported, too. Certainly this approach would allow our university colleagues outside the U.S. to make some progress. The possibility is sufficiently interesting that it is certainly worth pursuing. Jerry Saltzer