From: Bear Giles <bear@coyotesong.com> Subject: Kerberos5 and US export law To: lwn@lwn.net Date: Wed, 20 Oct 1999 08:19:37 -0600 (MDT) (I put together a few notes this morning, to try to hit your weekly news section, but I'm sure it needs to be cleaned up and I have to hit the road. I'll try to check my mail during the day if you have any questions, or you might want to do a more generic story on kerberos in general.) Several news sites are covering the administration floating the possibility of relaxing export restrictions on source code, not just binaries, due to the growing importance of Linux and *BSD. This is not a trivial matter since Windows 2000 uses Kerberos for authentication, and the free (speech and beer) MIT Kerberos 5 implementation is currently subject to export control due to inclusion of DES and triple-DES. OSS and Windows interoperability *will* suffer if we don't have widespread Kerberos support. Even non-W2K users are affected by lack of Kerberos support since many cable modem companies use a variant of Kerberos to authenticate their customers. For these reason and others I've been working towards a year-end Kerberized Debian distribution tentatively named "Coyote Linux" (the "coyote" is a play on Kerberos, a three-headed dog that guards the gates of Hell), with a very, very scary three-headed penguin logo. I didn't want to make a wide-spread announcement until I had a solid beta release, but this trial balloon changes everything. It goes without saying that if the source code export controls are relaxed, I will submit all of my work to Debian for possible inclusion in the main distribution. Creating an affinity distro that doesn't fragment the market is difficult and time consuming. Current status, kerberized slink packages Kerberos5-1.1 packages (10): early beta. I've used 1.0.5 without problems, but I've had problem getting 1.1 servers up. cvs: converted lprng: converted xfree86: uses old k5 API. Plan to add GSSAPI API postgresql: uses old k5 API. Plan to add GSSAPI API coda: early beta in slink; will investigate for potato amanda: uses k4, k5 support still beta It goes without saying that SAMBA will have to be modified to use K5... including any MS extensions and enhancements. Additional links for Kerberos are: http://web.mit.edu/kerberos/mit http://www.performancecomputing.com/features/9809f1.shtml You can also find an article about MS Kerberos in current magazines. If you use Linux or *BSD and the internet in any way, *please* follow this story. I, and others, can produce US-only distributions if we have to, but we could never compete with proprietary solutions in any organization which had foreign offices - they would be forced to use either proprietary solutions (regardless of the other problems that product might introduce) or foreign products. Bear Giles bgiles@coyotesong.com