microsoft xp gssapi client talking to solaris8 gssapi server

Steve Langasek vorlon at dodds.net
Sun Oct 6 15:36:05 EDT 2002


On Sun, Oct 06, 2002 at 02:53:42PM -0400, Ken Hornstein wrote:
> >> >Similarly, with the MIT tarball, I grab it from the UK debian mirror as a
> >> >.deb and extract it.  The export was not done by me & I haven't broken any
> >> >laws by downloading it.

> >> If you believe THAT, then I've got a couple dozen bridges I'd like to
> >> sell you.

> >Er, which law are you suggesting that he's violating by downloading
> >Kerberos from a UK site?

> US Export law, perhaps?  Note that IANAL, but I have seen a statement
> out of the BXA saying that even though the Kerberos code in question
> was in the UK (the person was asking about a site in the UK that had
> Kerberos on it), anyone downloading Kerberos from that site could still
> be in violation of US Export law.  And personally, I have a hard
> time believing that a lawmaker would miss such an obvious loophole.

> Now, are the crypto police going to be breaking down your door?
> Unlikely.  Does MIT Kerberos already qualify for an export exemption?
> Almost certainly.  Did Debian already do the necessary mojo to
> export MIT Kerberos?  Yup.  But don't go kidding yourself that
> you're somehow protecting yourself by getting MIT Kerberos from an
> offshore site, if that original export wasn't done legally.

I assumed it was a given in this case that the original export was done
legally.  True, the UK Debian mirror is no different from a US mirror in
this regard, but I took your message as suggesting there was a known 
export violation here.

In any case, though IANAL, my understanding of the export regs are that
the penalties apply mostly to the *exporter*; so anyone outside the US who
gets their hands on Kerberos is safe, unless they're also redistributing
it and becoming exporters themselves.

Steve Langasek
postmodern programmer



More information about the Kerberos mailing list