[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intent to package: SRP

Ossama Othman writes:
> Hi,
> > The Secure Remote Password (SRP) distribution is a secure
> > authentication and key exchange system which protects existing
> > protocols from both passive and active network intrusions.
> Since you are in the US, won't US export restrictions be an issue here?
> Shouldn't someone outside the US package it?  If the source is here in the
> US, how do you keep it from leaving the country?  Perhaps I am missing
> something.  Sorry if I am.

SRP has two functions:  It secures the authentication process itself
(i.e. protects the password from eavesdroppers, prevents unauthorized
users from logging in) and it exchanges keys for session encryption.
The former function is not export-controlled, and SRP can be distributed
freely as an authentication-only package.

On the other hand, having encrypted sessions is a big win, so you have
a good point about having a non-US developer package it.  Perhaps an
authentication-only domestic package and a 128-bit crypto-enabled
package available from overseas would be best.
Tom Wu                        * finger -l tjw@xenon.stanford.edu for PGP key *
 E-mail: tjw@cs.Stanford.EDU          "The box said 'Requires Windows 95, NT,
  Phone: (650) 723-1565                   or better,' so I installed Linux."
   http://www-cs-students.stanford.edu/~tjw/   http://srp.stanford.edu/srp/

Reply to: