anonymous CVS access?

Ken Hornstein kenh at
Fri Mar 28 14:33:47 EST 2003

>The amount of paperwork is zilch, you need only send an email to
>crypt at, there's not even a form to fill out.  "Hi, I'm
>exporting source code, it's at URL".  You don't even need to worry
>about the 7 terrorist states.

If only it was that easy.

The problem is that when you have a large organization, the lawyers
generally have one overriding purpose: protect that organization from
getting sued.  They do other things, but that's their main purpose.
I've never had any dealings with the MIT lawyers myself, but if they're
like the _other_ organizational lawyers that I've dealt with, they're
mainly worried about not getting sued and not breaking the law in a
detectable way.  The easiest way a lawyer has of preventing a lawsuit
or getting thrown in jail is to say "no" to any questionable
activities.  I mean, which is easier: pore over pages and pages of
export regulations, or saying "no"?

Now, you know and I know that really, if they had bothered to _read_
the export regulations, they know it would be fine.  The problem is
that the lawyer is typically high up in an organization, and getting to
them to explain what you're trying to do is a painful process.  Unless
there is money on the line (and some cases, that doesn't even help),
they won't have any reason to help you.  So, to take a cynical view
(speaking as someone who has had zero dealings with the MIT lawyers),
will exporting Kerberos generate any additional revenue for MIT?  The
answer is almost certainly "no", so their motivation may not be very

The other problem is people on the bottom of the organizational food
chain (like me) don't have the authority to export something; there is
no doubt a policy somewhere stating that you need to get approval to
release export-controlled materials, and we're right back where we

To give you an example of this problem, I got a call yesterday from
someone who works for large commercial organization, selling a product
that contained encryption, asking if it was okay to export products
containing 3DES.  I said, "Well, I don't know why you're asking ME, but
it's my understanding that it is fine, but that's really a question for
your legal staff".  He indicated to me that he had put the a question
to his company's legal staff, and they couldn't find any evidence that
such exports were permitted.  I pointed him to a few web pages at, and he found those pages and was going to take
them back to his legal staff.  This is, unfortunately in my experience,
all too typical.


More information about the krbdev mailing list