httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Elizabeth Frank)
Subject Re: export restrictions & mirroring Apache at NCSA
Date Mon, 22 May 1995 14:41:10 GMT
On May 21, 12:40pm, Robert S. Thau wrote:
} Subject: Re: export restrictions & mirroring Apache at NCSA
 > Hmmm... this "crypt" thing is, despite the name, really just used as
 > a one-way function to encrypt the stored forms of passwords, hashed with
 > a fourteen-bit salt (well within the 40-bit apparent export limit).
 > Still, DES is involved in at least the standard version (although I
 > remember hearing something about wimpy-crypt based versions in the
 > export editions of some commercial Unices, with the same interface).
 > Beth, could you say if NCSA has looked into this?
 > rst
}-- End of excerpt from Robert S. Thau

As I said before, "crypt" (as we use it) is OK.  The NSA is only
concerned with things that could be modified for bulk encryption,
so one-way functions aren't a problem.  Wimpy encryption can be
OK'ed through a shortened review process (something about a bulk
software license).  The NCSA server will be going through this
process.  If you are interested, I can report back after we've 
done it.  I theory (according to the NSA people) it is a relatively
painless 3 week review by NSA to confirm Commerce has jurisdiction
over the code.  I still haven't tracked down what, if anything we'll
have to do for the Commerce dept. other than being under Commerce
juristiction is a "Good Thing".

	-Beth Frank

View raw message