From owner-freebsd-current  Mon Dec 16 08:30:59 1996
Return-Path: <owner-current>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id IAA15930
          for current-outgoing; Mon, 16 Dec 1996 08:30:59 -0800 (PST)
Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id IAA15920
          for <current@FreeBSD.ORG>; Mon, 16 Dec 1996 08:30:55 -0800 (PST)
Received: by halloran-eldar.lcs.mit.edu; (5.65v3.2/1.1.8.2/19Aug95-0530PM)
	id AA18822; Mon, 16 Dec 1996 11:29:31 -0500
Date: Mon, 16 Dec 1996 11:29:31 -0500
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <9612161629.AA18822@halloran-eldar.lcs.mit.edu>
To: Paul Richards <p.richards@elsevier.co.uk>
Cc: Bill Paul <wpaul@skynet.ctr.columbia.edu>,
        terry@lambert.org (Terry Lambert), current@FreeBSD.ORG
Subject: Re: Plan for integrating Secure RPC -- comments wanted
In-Reply-To: <57ohfubkk5.fsf@tees.elsevier.co.uk>
References: <199612152351.SAA05656@skynet.ctr.columbia.edu>
	<57ohfubkk5.fsf@tees.elsevier.co.uk>
Sender: owner-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

<<On 16 Dec 1996 15:00:58 +0000, Paul Richards <p.richards@elsevier.co.uk> said:

> I had a discussion with someone in the Perl group who was from ORA. He
> claimed FreeBSD was being overly restrictive in it's lack of DES
> code. He cited NetBSD and 4.4 claiming that both were exportable
> because the DES code was only being used for authentication and not
> encryption.

He is wrong, mostly.  We /could/ export libdescrypt, but IN BINARY
FORM ONLY.  (We'd probably have to get a CJ and a license ruling from
the Commerce Department first, just to be safe.)  Exporting the source
code is problematic, because it could easily be turned back into an
ordinary encryption/decryption engine.  (The libcrypt/libcipher split
was done in this way under my guidance specifically to make it easier
for someone to get an export license for a binary distribution
containing libdescrypt.)

The exception the ORA person was thinking of is how DEC is able to
export Kerberos in binary form.  They in-line the DES code into libkrb
where it's called, and don't provide the krb_*_priv() functions which
provide indirect access to the encryption mechanism.  This allows them
to create a library which is only capable of performing
authentication, not providing privacy, and so the government allows
them to export it.

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, ANA, or NSA|                     - Susan Aglukark and Chad Irschick