[ntp:hackers] Export restrictions on ntp-dev?

David Mills mills at udel.edu
Sat Apr 25 03:13:15 UTC 2009


Danny,

I can tell what MIT did, because I copied it in the late '80s. The DES 
source was encrypted with secret key. If you could prove you were living 
in the US, I would send you the key. Funny thing, that never happened. 
Folks got it from RSA-Euro.

Davae

Danny Mayer wrote:

>Dave,
>
>All the more reason that the Windows binaries are built in Germany so we
>don't have to worry about exporting OpenSSL.
>
>So we are not exporting any cryptographic code of any kind in the
>sources to NTP.
>
>No doubt that makes no difference to ITAR. I wonder what MIT has to do
>for Kerberos?
>
>Danny
>
>David Mills wrote:
>  
>
>>Danny,
>>
>>I have been around this issue many times with DARPA and even read the 
>>ITAR regulations, which unfortunately are imprecise and confusing, 
>>probably on purpose to give wiggle room. The bottom line is that, even 
>>if OpenSSL is imported from a outside the US, it can't be exported 
>>without a license. Recent enforcement of ITAR has become insane. I had 
>>to sign a statement that required me to forbid a non-US nationals from 
>>my office if research material was viewable on my display. Gives new 
>>meaning to screen saver.
>>
>>Dave
>>
>>Danny Mayer wrote:
>>
>>    
>>
>>>Brian Utterback wrote:
>>> 
>>>
>>>      
>>>
>>>>Something just came up in my efforts to get NTP 4.2.5 into Solaris. 
>>>>The question of export restrictions on crypto is part of the checklist 
>>>>for integration into any sun product, Solaris included.
>>>>
>>>>So, my question is, has the source code at udel.edu ever been through 
>>>>a U.S. government export review? If so, is there any kind of 
>>>>documentation or review number? How do other vendors deal with this? 
>>>>Any clues, pointers, hints?
>>>>
>>>>Thanks.
>>>>   
>>>>
>>>>        
>>>>
>>>I don't know of anything in the ntp code itself where that would even
>>>come up but Dave would know for sure. The only issue may be the OpenSSL
>>>code which is optional at this time, but OpenSSL is hosted outside of
>>>the US to avoid this issue from what I understand. Doesn't Sun ship
>>>OpenSSL? It does get used in Kerberos so if Sun is shipping Kerberos it
>>>should be (but not necessarily) safe to ship for ntp.
>>>
>>>Danny
>>>      
>>>
>
>  
>



More information about the hackers mailing list