RE: Exportable encryption & Kerberos

["Mike Swift (NT)" <mikesw@microsoft.com>]

I agree that the words "domestic" and "exportable" were poor choices - how
about "strong" and "weak", so that there are no doubts about what is being
offered? I thought about extending the AP request to include additional enc
types. However, negotiating both a key & and encryption type at the same
time is difficult - the thing to do might be to expand the key in the AP_REQ
to be a sequence of keys, and the server replies with they key it chose or
its own key. 

Any support for distinguishing between strong & weak encryption is by its
very nature incompatible - clients and servers that only do weak encryption
have to fail requests to and from machine that do strong encryption, so
extending the AP request structure might be reasonable.

- Mike

> -----Original Message-----
> From:	Ken Hornstein [SMTP:kenh@cmf.nrl.navy.mil]
> Sent:	Tuesday, January 13, 1998 12:07 PM
> To:	Mike Swift (NT)
> Cc:	cat-ietf@mit.edu
> Subject:	Re: Exportable encryption & Kerberos 
> 
	...
> Maybe the thing to do is make the AP_REQ have an optional list of
> enctypes for the server to choose from?
> 
> The only thing I don't like about your proposal is the use of "domestic"
> vs "exportable"; as someone else pointed out, this is pretty US-centric.
> And what do you do if the law changes? :-)
> 
> --Ken