[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: adding RADIUS to pam

Alan DeKok writes:
> Andrew writes:
> > Alan assures me that encryption when it is used for
> > authentication (as in the case of Radius' password distribution) is
> > completely fine to export from the US.  This is my understanding too,
> > but I'd really feel better if I could hear a lawyer say that.

>  (vi) Limited to data authentication which calculates a Message
> Authentication Code (MAC) or similar result to ensure no alteration of
> text has taken place, or to authenticate users, but does not allow for
> encryption of data, text or other media other than that needed for the
> authentication.

But.  By exporting source code, can I be sure _I_ am not taking
responsibility for not breaking the bit about "does not allow for
encryption of data"?  I cannot see where the ITAR rules make allowance
for the export of source code that does any flavor of reversible
encryption.  This is why I want to hear a lawyer say one way or the

The restrictions go on to say:

Note: A procedure has been established to facilitate the expeditious
transfer to the Commodity Control List of mass market software
products with encryption that meet specified criteria regarding
encryption for the privacy of data and the associated key
management. Requests to transfer commodity jurisdiction of mass market
software products designed to meet the specified criteria may be
submitted in accordance with the commodity jurisdiction provisions of
§ 120.4. Questions regarding the specified criteria or the commodity
jurisdiction process should be addressed to the Office of Defense
Trade Controls. All mass market software products with cryptography
that were previously granted transfers of commodity jurisdiction will
remain under Department of Commerce control. Mass market software
governed by this note is software that is generally available to the
public by being sold from stock at retail selling points, without
restriction, by means of over the counter transactions, mail order
transactions, or telephone call transactions; and designed for
installation by the user without further substantial support by the

>   So the RADIUS module is exportable, under ITAR Part 121, Category
> XIII, (b)(1)(vi).
>   Although I think that ITAR has since been superseded.  In any case,
> the page contains a postal address where you can order the official
> government regulations.

This does not make me feel any better.  :(

>   In addition, all free unix distributions include ways to encrypt
> user passwords.  '/etc/passwd', 'crypt', etc. have been used for
> authenticating users, and been exported for years.  I hope that
> encrypting a password for RADIUS authentication is any different.

I understand that considerable lengths were gone to to make this
legal.  The most notable one being that 'crypt()' is not a
_reversible_ encryption routine.

I have no moral objections to including Radius source in the PAM
distribution, I just have a unhealthy legal paranoia.  Not being a US
citizen but living in the US, I'm not even sure I have a right to
lobby my congressman to do anything about it!

Would you feel better if I point people to your site from the source
tree?  With 'ncftp' I can even make the build process download your
tar file as the modules are being built.... Would this satisfy you?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []