From owner-freebsd-current Mon Dec 16 09:12:12 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id JAA18104 for current-outgoing; Mon, 16 Dec 1996 09:12:12 -0800 (PST) Received: from pegasus.my.domain (sole-25.ppp.hooked.net [206.80.9.217]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id JAA18099 for ; Mon, 16 Dec 1996 09:12:07 -0800 (PST) From: dicen@hooked.net Received: from pegasus.my.domain (localhost.my.domain [127.0.0.1]) by pegasus.my.domain (8.8.4/8.7.3) with SMTP id JAA00471; Mon, 16 Dec 1996 09:09:55 GMT Message-ID: <32B511E3.2781E494@hooked.net> Date: Mon, 16 Dec 1996 09:09:55 +0000 X-Mailer: Mozilla 3.01Gold (X11; I; FreeBSD 3.0-CURRENT i386) MIME-Version: 1.0 To: Garrett Wollman CC: Paul Richards , Bill Paul , Terry Lambert , current@freebsd.org Subject: Re: Plan for integrating Secure RPC -- comments wanted References: <199612152351.SAA05656@skynet.ctr.columbia.edu> <57ohfubkk5.fsf@tees.elsevier.co.uk> <9612161629.AA18822@halloran-eldar.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Garrett Wollman wrote: > > < said: > > > I had a discussion with someone in the Perl group who was from ORA. He > > claimed FreeBSD was being overly restrictive in it's lack of DES > > code. He cited NetBSD and 4.4 claiming that both were exportable > > because the DES code was only being used for authentication and not > > encryption. > > He is wrong, mostly. We /could/ export libdescrypt, but IN BINARY > FORM ONLY. (We'd probably have to get a CJ and a license ruling from > the Commerce Department first, just to be safe.) Exporting the source > code is problematic, because it could easily be turned back into an > ordinary encryption/decryption engine. (The libcrypt/libcipher split > was done in this way under my guidance specifically to make it easier > for someone to get an export license for a binary distribution > containing libdescrypt.) Am I missing something here? Why do we care if the DES is exportable or not? Someone in a foreign country can just go to ftp.freebsd.org and download the source to the DES code anyway can they not? If not I am sure they could go to funet.fi or some other server. Yes this person would be breaking US law if they downloaded it from ftp.freebsd.org but do they care? No. Does anyone care what the Commence Department or any of the government agencies say about encryption? No. Why do you all care if the US Government approves your exportable DES code? DES and other encryption code is prabobly on more foreign servers than US ones. I go to foreing servers all the time to get such code because the US Government seams to harass US servers. Short and simple: If someone in a foreign land wants to put DES in FreeBSD than just let him get the source code. This is what he does now anyway. > > The exception the ORA person was thinking of is how DEC is able to > export Kerberos in binary form. They in-line the DES code into libkrb > where it's called, and don't provide the krb_*_priv() functions which > provide indirect access to the encryption mechanism. This allows them > to create a library which is only capable of performing > authentication, not providing privacy, and so the government allows > them to export it. > > -GAWollman > > -- > Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same > wollman@lcs.mit.edu | O Siem / The fires of freedom > Opinions not those of| Dance in the burning flame > MIT, LCS, ANA, or NSA| - Susan Aglukark and Chad Irschick