Date: Wed, 1 Jun 1994 10:21:53 +0100 (BST) From: Lyn Norris < ccslsn@midge.bath.ac.uk> To: kerberos@MIT.EDU At Bath University, we run Kerberos version 4 in an attempt to prevent unauthorised use of our computers. We would like to acquire version 5, particularly as we plan to upgrade to Solaris 2.3, but we are unsure how to obtain a legal copy. We believe that as the product uses encryption technology, we would need an export licence. We acquired version 4 from Australia, thus avoiding the need last time. Is there a way we can legally acquire version 5? Lyn Norris Computer Services Manager
From: Tony MelvinTo: ccslsn@midge.bath.ac.uk Date: Wed, 1 Jun 94 15:06:23 METDST" Cc: kerberos@MIT.EDU In-Reply-To: <Pine.3.89.9406011048.A6371-0100000@midge.bath.ac.uk>; from "Lyn Norris" at Jun 1, 94 10:21 am > > > > At Bath University, we run Kerberos version 4 in an attempt to prevent > unauthorised use of our computers. We would like to acquire version 5, > particularly as we plan to upgrade to Solaris 2.3, but we are unsure how > to obtain a legal copy. > We believe that as the product uses encryption technology, we would need > an export licence. We acquired version 4 from Australia, thus avoiding > the need last time. Is there a way we can legally acquire version 5? > > > Lyn Norris > > Computer Services Manager > > You are right in believing that an export licence is necessary. We have come up with a few approaches to resolving this issue: (1) obtain an export licence for a stripped-down version of Krb5 without data encryption, then put it back together again with non-US data encryption library calls. Getting the export licence shouldn't be all that difficult, but I suppose that you'll need a US company to do it on your behalf, since it's to be exported. (2) pay for someone else to do the above by buying Kerberos from them. This way you also get product support and a nice admin. GUI etc. OSSG, now called CyberSAFE, and other companys offers this. (3) find someone who has done (1) above and is willing to give/sell it to you, we didn't find anybody. Incidently, you'll find quite a few Kerberos v5 lying around that you can get by anonymous ftp in Europe. It's doubtful as to whether they were obtained by one of the approaches described above. Good luck Tony Melvin (tony@sodalia.it)
To: kerberos@MIT.EDU, network-security@cygnus.com Cc: Tony Melvin <tony@sodalia.it> Cc: ccslsn@midge.bath.ac.uk In-Reply-To: Your message of "Wed, 01 Jun 1994 15:06:23 +0700." <9406011336.AA22181@MIT.EDU> Date: Wed, 01 Jun 1994 13:30:54 -0700 From: John Gilmore <gnu@cygnus.com> > At Bath University, we run Kerberos version 4 in an attempt to prevent > unauthorised use of our computers. We would like to acquire version 5, > particularly as we plan to upgrade to Solaris 2.3, but we are unsure how > to obtain a legal copy. Cygnus would like to explore with foreign organizations a way to legally produce a Kerberos-5-compatible network security implementation for use outside the United States. > (1) obtain an export licence for a stripped-down version of Krb5 > without data encryption, then put it back together again with non-US > data encryption library calls. Getting the export licence shouldn't be > all that difficult, but I suppose that you'll need a US company to do > it on your behalf, since it's to be exported. Cygnus would be pleased to do this work; we've done the paperwork already for exporting a stripped Kerberos 4 (see http://www.cygnus.com/~gnu/export.html for a full copy). We would do the technical work to remove parts of Kerberos as needed for export, and get all the required export permissions. We would require non-US collaborators with the local expertise needed to reproduce -- from scratch and publicly available materials, not by reading illicit copies of K5! -- the parts that we had to remove for export. > (2) pay for someone else to do the above by buying Kerberos from them. This > way you also get product support and a nice admin. GUI etc. OSSG, now called > CyberSAFE, and other companys offers this. Cygnus Support is in this business as well -- with the difference that the code we support and improve for our customers is freely available to everyone. You pay for the support we give you, not for the right to run or reproduce the software. I don't know of another company that provides international Kerberos support with full source code available. Other companies' products, besides being proprietary, are binary-only outside North America because of the choices they made in getting export clearance. A collection of organizations could join forces and finances to contract with Cygnus to provide the initial exportable port, possibly to manage the foreign production and re-integration of replacements for the embargoed code, and then to provide support to the contracting organizations for deployment in their networks. The results would be available to the entire worldwide networking community, and the necessary changes would be integrated back into the MIT K5 release. (E.g. the North American version could adopt the foreign implementation of DES, if it was written as well as Dennis Ferguson's Canadian code. We could still not export the combination of Kerberos and DES code until the U.S Government regains its sanity. But at least the exportable diffs for new Kerberos releases at MIT would be plug-compatible with the crypto code that would already be available from worldwide non-US archive sites.) John Gilmore
sted-From: The MITRE Corporation, Bedford, MA Date: Wed, 1 Jun 1994 19:38:29 -0400 From: bede@scotty.mitre.org To: gnu@cygnus.com (John Gilmore) Cc: kerberos@MIT.EDU, network-security@cygnus.com, tony@sodalia.it, ccslsn@midge.bath.ac.uk In-Reply-To: John Gilmore's message of Wed, 01 Jun 1994 13:30:54 -0700 <199406012030.NAA04217@cygnus.com> Date: Wed, 01 Jun 1994 13:30:54 -0700 From: John Gilmore <gnu@cygnus.com> [ . . . ] we've done the paperwork already for exporting a stripped Kerberos 4 (see http://www.cygnus.com/~gnu/export.html for a full copy). [ . . . ] I really hope your initiative to produce Kerberos V5 "bones" freeware suitable for US export succeeds, John, but I must have missed something. MIT's crypto-free "bones" V4 distribution has been available for unrestricted export for several years. I've looked at the online material you mention and I'm afraid I still don't clearly understand what you and/or Cygnus actually accomplished that's new, although I think your collection of information about exporting cryptographic software from the US is informative. There are no US export restrictions that I am aware of on non-crypto software, provided there aren't any contractual, copyright or patent violations entailed. This has been a fundamental assumption underlying "freeware" and PD software distribution using the Internet for years. Hence, your request for either US State or Commerce Department permission to distribute V4 "bones" at this point, and the implication that this is a required action, seems to just muddy the waters. Having said this, the impact of import/export laws (not just the US laws) on crypto software is an important issue, although I don't think a protracted discussion is completely appropriate for this particular forum except with respect to possible or known effects on Kerberos interoperability. - Bede McCall <bede@mitre.org> The MITRE Corporation Bedford, Massachusetts
To: kerberos@MIT.EDU, network-security@cygnus.com, bede@scotty.mitre.org Cc: tony@sodalia.it, ccslsn@midge.bath.ac.uk In-Reply-To: Your message of "Wed, 01 Jun 1994 19:38:29 EDT." <199406012338.TAA24899@scotty.mitre.org> Date: Wed, 01 Jun 1994 17:52:50 -0700 From: John Gilmore <gnu@cygnus.com> > MIT's crypto-free "bones" V4 distribution has been available for > unrestricted export for several years. I've looked at the online > material you mention and I'm afraid I still don't clearly understand > what you and/or Cygnus actually accomplished that's new, . . . > > There are no US export restrictions that I am aware of on non-crypto > software . . . Hence, your request for either US State or Commerce > Department permission to distribute V4 "bones" at this point, and the > implication that this is a required action, seems to just muddy the > waters. It is not required that you get formal permission from the State Dept. or the Commerce Dept. before exporting non-cryptographic software. However, the penalties for mistakes are severe -- including 10-year jail terms -- so prudence is advisable. Cygnus ships its other products worldwide without worrying about export issues; mistakes there are unlikely. But when it comes to software that *used to be* embargoed crypto software -- the K4 "Bones" -- we thought it prudent to get official notification from the government that the "Bones" were exportable. You-all and I realize that the intent of the Bones was to make exportable software; the question was whether that intent had been realized, to the satisfaction of the government. The "new" work that Cygnus accomplished was to verify that the intent *was* realized. Personally I would not attempt to export a "sanitized" K5 without getting explicit, official adjudication that it was not embargoed. If a question ever came up later, it would be VERY handy to show those documents to a judge, rather than basing your defense on the "But I thought the law said..." model. The whole of Kerberos itself is fully exportable if you read the rules in a certain way; it does authentication, authentication is not controlled by the State Dept, and the Commerce Dept allows publicly available software of any kind to be exported. There'd be no need for the Bones at all. But what exactly is authentication and when does it stretch into information hiding? Does sending a change_password request using mk_priv constitute authentication, since the privacy only extends to the authentication information? Does the existence of lower level DES routines in the source code scotch any attempt to export source code? Only the government knows for sure -- and the way we find out what it officially thinks is by submitting CJ requests. (If you do this, send me email and I'll add the CJ and response to the crypto export archives.) The NSA interest is actually served by having uncertainty regarding crypto export -- it will encourage cautious people to not even try, and will encourage incautious fools to step way over the line so they can be skewered to publicize the controls. In this way, NSA can exert a larger actual control than the Constitution, laws, and regulations theoretically permit. (I have Justice Dept. legal documents, obtained under FOIA, that show that the Office of Legal Counsel there believes that the export laws are unconstitutional as applied to technical data -- including software -- which is protected under the First Amendment.) It is in *our* interest as a society to have this uncertainty be resolved -- by asking the questions, publishing the official results, and publicly questioning the strange results (like the software that's exportable on paper but not on floppy). Then people who desire to live within the law will know what is allowed and what is not allowed. I agree that protracted discussion of crypto export should move to a more appropriate forum -- perhaps comp.org.eff.talk. Further discussion of K4 and K5 export should stay here in kerberos@mit.edu or comp.protocols.kerberos. John Gilmore