Path: utzoo!attcan!uunet!aplcen!uakari.primate.wisc.edu!sdd.hp.com!wuarchive!psuvax1!rutgers!bellcore-2!envy!karn From: karn@envy.bellcore.com (Phil Karn) Newsgroups: comp.protocols.kerberos Subject: Re: availability of kerberos Message-ID: <1990Oct25.163408@envy.bellcore.com> Date: 25 Oct 90 20:34:08 GMT References: <9010222324.AA02153@sun22j.mdi.com> <9010230017.AA00974@delwin.MIT.EDU> Sender: usenet@bellcore-2.bellcore.com (Poster of News) Reply-To: karn@thumper.bellcore.com Organization: Packet Communications Research Group (Bellcore) Lines: 86 I hate to reopen the subject of export controls, but recently I had a chance to actually READ the relevant ITAR documents. If I understand them correctly, they no longer prohibit the export of Kerberos since it is "public domain technical data" (as defined by the rules). Here are two items I recently posted on sci.crypt: Newsgroups: sci.crypt From: karn@envy.bellcore.com (Phil Karn) Subject: Re: Cryptography and the Law... Message-ID: <1990Oct22.192542@envy.bellcore.com> Reply-To: karn@thumper.bellcore.com Date: Mon Oct 22 19:25:42 1990 In article <1990Oct16.203545.4347@odin.corp.sgi.com>, nelson@sgi.com (Nelson Bolyard) writes: |> The export of encryption technology is *controlled* (not *ban*ed) by |> two departments of the U.S. Gov't. They control it by issuing (or not |> issuing) export licenses. [...] Has anybody actually LOOKED recently at the regulations to see what they say? Yesterday I saw a copy of the International Traffic in Arms Regulations (ITARs) which are maintained by the US Department of State. It carried a November 1989 date. I was surprised to see that it now includes a blanket exemption for any "technical data" (which I interpret according to their definition to include cryptographic software) that is in the "public domain", which they define as information readily accessible to the public in any of several ways (note that this is different from the intellectual property definition of "public domain"). So it appears that the ITARs now include the same exemption for publicly available information that has long been carried in the Commerce Dept regulations. If so, it seems that there is no longer any reason to worry about the export of Kerberos, any of the various public-domain DES implementations, or indeed implementations of *any* cryptographic scheme as long as the author is willing to publish the code in the open literature. Proprietary systems would still be subject to controls. Has anybody else *recently* looked into this subject? Phil Newsgroups: sci.crypt From: karn@envy.bellcore.com (Phil Karn) Subject: Re: Cryptography and the Law... Message-ID: <1990Oct23.052418.1957@bellcore-2.bellcore.com> Reply-To: karn@thumper.bellcore.com (Phil Karn) Date: Tue, 23 Oct 90 05:24:18 GMT Here are the relevant excerpts from the International Traffic in Arms Regulations (ITAR) (22 CFR 120-130) November 1989: [Definitions] 120.18 Public domain "Public domain" means information which is published and which is generally accessible or available to the public: (a) Through sales at newsstands and bookstores; (b) Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information; (c) Through second class mailing privileges granted by the U.S. Government; or, (d) At libraries open to the public. [US Munitions List] 121.1 (Category XIII) (b) Speech scramblers, privacy devices, cryptographic devices and software (encoding and decoding), and components specifically designed or modified therefore, ancillary equipment, and protective apparatus specifically designed or modified for such devices, components, and equipment. [Part 125 - Licenses for the export of technical data and classified defense articles] 125.1 Exports subject to this part 125.1 (a) The export controls of this part apply to the export of technical data and the export of classified defense articles. Information which is in the "public domain" (see Section 120.18) is not subject to the controls of this subchapter.