Export of Kerberos

daemon@TELECOM.MIT.EDU (Clifford Neuman)
Sat Mar 4 10:26:52 1989

From: bcn@JUNE.CS.WASHINGTON.EDU (Clifford Neuman)
To: kerberos@ATHENA.MIT.EDU

I just saw the following in sci.crypt:

   From: alo@kampi.hut.fi (Antti Louko)
   Newsgroups: sci.crypt
   Date: 3 Mar 89 14:38:48 GMT
   Reply-To: alo@kampi.hut.fi (Antti Louko)

   I am developing a freely distributable authentication package for UNIX
   environment. I have now finished my DES routines. DES package is
   available at kampi.hut.fi (128.214.3.9) by anonymous ftp. You can use
   the package for non-commercial purposes. If you want to use the
   package commercially, please contact me.

   The package is in C, and you should use GNU C-compiler to compile it,
   as it contains no register declarations. It should compile with normal
   C-compiler, too, but it won't be very fast. It is tested on VAX BSD
   4.3, and it has run on SUNs, too.

   DES distribution is in a compressed tar archive file des-dist.tar.Z
   under directory ~ftp/alo.

   If you have bug fixes or other comments, please send mail to me.

	  Antti Louko
	  alo@kampi.hut.fi

Now, suppose we could convince this person to provide the same
procedural interface to DES as we use with Kerberos.  Could we then
export a version of Kerberos without encryption, and tell the people
that get that version to get the DES routines from Finland?

	~ Cliff

daemon@TELECOM.MIT.EDU (Rich Salz)
Mon Mar 6 09:28:56 1989
 From: Rich Salz <rsalz@BBN.COM>
To: bcn@JUNE.CS.WASHINGTON.EDU, kerberos@ATHENA.MIT.EDU

I have a moderator in Australia for comp.sources.unix; if someone
sent him the Finland package to post, then it'd be freely available...
	/r$

From: Jerome H Saltzer <jhs%computer-lab.cambridge.ac.uk@NSS.CS.UCL.AC.UK>
To: bcn@JUNE.CS.WASHINGTON.EDU
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Clifford Neuman's message of Sat, 4 Mar 89 07:23:26 PST 
<8903041523.AA14690@june.cs.washington.edu>

> Now, suppose we could convince this person to provide the same
> procedural interface to DES as we use with Kerberos.  Could we then
> export a version of Kerberos without encryption, and tell the people
> that get that version to get the DES routines from Finland?

Cliff,

Unfortunately, we explored this path pretty thoroughly with the
lawyers.  We didn't know about the Finnish (Finlandish?)
implementation, but we knew of implementations from Switzerland,
Germany, England, and Australia.  The problem is that Kerberos with
the DES package omitted appears to fall into an equally tightly
controlled software export category called "ancillary encryption
control equipment".

The current export strategy includes reviving the PC implementation of
Kerberos with the goal of moving it into a newly-created category of
"software intended for a mass-market" or some name like that.  Then it
might be possible to export it either with a non-DES algorithm or in a
form where someone else can add whatever encryption they like.
Meanwhile, a temporary export expedient is to go through the source
and remove the calls to the encryption library completely, thereby
turning it into ordinary software for purposes of export.  Although
that approach emasculates the security, it at least preserves all the
interfaces so that the rest of the Athena system doesn't have to be
tinkered with as part of initial export projects.

					Jerry