directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: [Kerberos] Encryption types branch stabilized
Date Tue, 08 May 2007 17:43:53 GMT
On 5/8/07, Emmanuel Lecharny <elecharny@apache.org> wrote:
> Enrique,
>
> just wondering, is all this code complies with US rules about
> cryptography ?

1)  We're using crypto in the JDK.  We moved to JDK crypto 100% when
we removed the Bouncy Castle dependency.

2)  US export policy restricts key size.  For example, the Sun and IBM
JDK's ship with AES256 crypto, but it is disabled by policy.  There is
an exception thrown when AES-256 is not enabled.
(a)  Because 256-bit AES keys are used in the Kerberos encryption type
'aes256-cts-hmac-sha1-96', you must install the "unlimited strength"
policy file for it it work.
(b)  Similarly, the KeyDerivationService interceptor, which is now
responsible for generating 256-bit AES keys, requires the "unlimited
strength" policy for it to automatically generate 256-bit bits.

Enrique

Mime
View raw message