Q. International availability of Kerberos for MacOS X

Ken Raeburn raeburn at MIT.EDU
Tue Mar 5 16:10:01 EST 2002

John Lockwood <jel at gomark.com> writes:
> In your FAQ for Kerberos 4 for MacOS X you state "However, Kerberos for
> Macintosh 4.0 is not available for download outside of North America"
> This is I presume due to the restrictions on exporting Encryption products.
> If this is true I would like to ask why?
> President Clinton relaxed the rules on exporting Encryption products to most
> countries. This allowed countries like the UK, France, Germany etc. to
> obtain Encryption products without difficulties. As a result we in the UK
> now have access to 128bit Encryption in web browsers and servers (prior to
> this change we were restricted to 56bit Encryption).
> Could you tell me why your policy is so out of date?

Encryption export policy has been a tricky matter in the past, so we
decided to proceed cautiously, and not change anything before talking
to counsel and deciding on new policies.  We heard back from the
lawyers a while ago, but we've had enough other things going on, and
little enough manpower, that no one was making sure that things were
moving forward in this area.  However, some of us have just recently
started pursuing it again.  I'm hoping the situation will change in
the next several weeks or so, but really I don't know how fast that
part of the MIT bureaucracy works, so "hoping" really is the right
work, not "expecting"... :-)

We're looking at the open-source exception only.  If I recall
correctly, all other avenues require periodic reporting of who's
downloading what, and the TSU exception (general download of open
source and binaries compiled from open source) does not.  Since most
of our code is open source, that's by far the best route for us to
take.  That doesn't automatically give companies writing proprietary
Kerberos applications or distributions based on our code the ability
to export their versions; that's for them to figure out.

MacOS 9 binaries will not be available under the TSU exception, and
personally (as someone working on the open-source UNIX and common
code) I'm not planning to pursue other avenues for exporting that
code.  If there's high demand, perhaps we can look into it, but the
head of the Mac team doesn't seem to feel there would be, with MacOS X
out now.  I don't work with the MacOS X code, but AFAIK it's all open,
and thus would be shipping along with everything else.

> PS. MIT also does this for its PGP software and the same reasoning applies.

Same internal issues, too.  We're trying to change our general crypto
export policy, not just Kerberos export.  (But the ongoing Kerberos
work does mean there are more issues to look at than simply allowing


More information about the krbdev mailing list