Date: Wed, 1 Jun 1994 10:21:53 +0100 (BST)
From: Lyn Norris < ccslsn@midge.bath.ac.uk>
To: kerberos@MIT.EDU



At Bath University, we run Kerberos version 4 in an attempt to prevent 
unauthorised use of our computers. We would like to acquire version 5, 
particularly as we plan to upgrade to Solaris 2.3, but we are unsure how 
to obtain a legal copy.
We believe that as the product uses encryption technology, we would need 
an export licence. We acquired version 4 from Australia, thus avoiding 
the need last time. Is there a way we can legally acquire version 5?


Lyn Norris

Computer Services Manager

From: Tony Melvin 
To: ccslsn@midge.bath.ac.uk
Date: Wed, 1 Jun 94 15:06:23 METDST"
Cc: kerberos@MIT.EDU
In-Reply-To: <Pine.3.89.9406011048.A6371-0100000@midge.bath.ac.uk>; 
from "Lyn Norris" at Jun 1, 94 10:21 am

> 
> 
> 
> At Bath University, we run Kerberos version 4 in an attempt to prevent 
> unauthorised use of our computers. We would like to acquire version 5, 
> particularly as we plan to upgrade to Solaris 2.3, but we are unsure how 
> to obtain a legal copy.
> We believe that as the product uses encryption technology, we would need 
> an export licence. We acquired version 4 from Australia, thus avoiding 
> the need last time. Is there a way we can legally acquire version 5?
> 
> 
> Lyn Norris
> 
> Computer Services Manager
> 
> 
You are right in believing that an export licence is necessary. We have
come up with a few approaches to resolving this issue:
(1) obtain an export licence for a stripped-down version of Krb5 without data
encryption, then put it back together again with non-US data encryption 
library calls. Getting the export licence shouldn't be all that difficult, but
I suppose that you'll need a US company to do it on your behalf, since it's to
be exported.
(2) pay for someone else to do the above by buying Kerberos from them. This
way you also get product support and a nice admin. GUI etc. OSSG, now called 
CyberSAFE, and other companys offers this.
(3) find someone who has done (1) above and is willing to give/sell it to you,
we didn't find anybody.

Incidently, you'll find quite a few Kerberos v5 lying around that you can get
by anonymous ftp in Europe. It's doubtful as to whether they were obtained by
one of the approaches described above.

Good luck

Tony Melvin (tony@sodalia.it)

To: kerberos@MIT.EDU, network-security@cygnus.com
Cc: Tony Melvin <tony@sodalia.it>
Cc: ccslsn@midge.bath.ac.uk
In-Reply-To: Your message of "Wed, 01 Jun 1994 15:06:23 +0700."
             <9406011336.AA22181@MIT.EDU> 
Date: Wed, 01 Jun 1994 13:30:54 -0700
From: John Gilmore <gnu@cygnus.com>

> At Bath University, we run Kerberos version 4 in an attempt to prevent 
> unauthorised use of our computers. We would like to acquire version 5, 
> particularly as we plan to upgrade to Solaris 2.3, but we are unsure how 
> to obtain a legal copy.

Cygnus would like to explore with foreign organizations a way to
legally produce a Kerberos-5-compatible network security
implementation for use outside the United States.

> (1) obtain an export licence for a stripped-down version of Krb5
> without data encryption, then put it back together again with non-US
> data encryption library calls. Getting the export licence shouldn't be
> all that difficult, but I suppose that you'll need a US company to do
> it on your behalf, since it's to be exported.

Cygnus would be pleased to do this work; we've done the paperwork
already for exporting a stripped Kerberos 4 (see
http://www.cygnus.com/~gnu/export.html for a full copy).  We would do
the technical work to remove parts of Kerberos as needed for export,
and get all the required export permissions.

We would require non-US collaborators with the local expertise needed
to reproduce -- from scratch and publicly available materials, not by
reading illicit copies of K5! -- the parts that we had to remove for
export.

> (2) pay for someone else to do the above by buying Kerberos from them. This
> way you also get product support and a nice admin. GUI etc. OSSG, now called 
> CyberSAFE, and other companys offers this.

Cygnus Support is in this business as well -- with the difference that
the code we support and improve for our customers is freely available
to everyone.  You pay for the support we give you, not for the right to
run or reproduce the software.

I don't know of another company that provides international Kerberos
support with full source code available.  Other companies' products,
besides being proprietary, are binary-only outside North America
because of the choices they made in getting export clearance.

A collection of organizations could join forces and finances to
contract with Cygnus to provide the initial exportable port, possibly
to manage the foreign production and re-integration of replacements
for the embargoed code, and then to provide support to the contracting
organizations for deployment in their networks.  The results would be
available to the entire worldwide networking community, and the
necessary changes would be integrated back into the MIT K5 release.
(E.g. the North American version could adopt the foreign
implementation of DES, if it was written as well as Dennis Ferguson's
Canadian code.  We could still not export the combination of Kerberos
and DES code until the U.S Government regains its sanity.  But at
least the exportable diffs for new Kerberos releases at MIT would be
plug-compatible with the crypto code that would already be available
from worldwide non-US archive sites.)

	John Gilmore

sted-From: The MITRE Corporation, Bedford, MA
Date: Wed, 1 Jun 1994 19:38:29 -0400
From: bede@scotty.mitre.org
To: gnu@cygnus.com (John Gilmore)
Cc: kerberos@MIT.EDU, network-security@cygnus.com, tony@sodalia.it,
        ccslsn@midge.bath.ac.uk
In-Reply-To: John Gilmore's message of Wed, 01 Jun 1994 13:30:54 -0700 
<199406012030.NAA04217@cygnus.com>

   Date: Wed, 01 Jun 1994 13:30:54 -0700
   From: John Gilmore <gnu@cygnus.com>

   [ . . . ]                                we've done the paperwork
   already for exporting a stripped Kerberos 4 (see
   http://www.cygnus.com/~gnu/export.html for a full copy).

   [ . . . ]

I really hope your initiative to produce Kerberos V5 "bones" freeware
suitable for US export succeeds, John, but I must have missed something.
MIT's crypto-free "bones" V4 distribution has been available for
unrestricted export for several years.   I've looked at the online
material you mention and I'm afraid I still don't clearly understand
what you and/or Cygnus actually accomplished that's new, although I
think your collection of information about exporting cryptographic
software from the US is informative.

There are no US export restrictions that I am aware of on non-crypto
software, provided there aren't any contractual, copyright or patent
violations entailed.  This has been a fundamental assumption
underlying "freeware" and PD software distribution using the Internet
for years.  Hence, your request for either US State or Commerce
Department permission to distribute V4 "bones" at this point, and the
implication that this is a required action, seems to just muddy the
waters.

Having said this, the impact of import/export laws (not just the US
laws) on crypto software is an important issue, although I don't think
a protracted discussion is completely appropriate for this particular
forum except with respect to possible or known effects on Kerberos
interoperability.


- Bede McCall <bede@mitre.org>

   The MITRE Corporation
   Bedford, Massachusetts

To: kerberos@MIT.EDU, network-security@cygnus.com, bede@scotty.mitre.org
Cc: tony@sodalia.it, ccslsn@midge.bath.ac.uk
In-Reply-To: Your message of "Wed, 01 Jun 1994 19:38:29 EDT."
             <199406012338.TAA24899@scotty.mitre.org> 
Date: Wed, 01 Jun 1994 17:52:50 -0700
From: John Gilmore <gnu@cygnus.com>

> MIT's crypto-free "bones" V4 distribution has been available for
> unrestricted export for several years.   I've looked at the online
> material you mention and I'm afraid I still don't clearly understand
> what you and/or Cygnus actually accomplished that's new, . . .
>
> There are no US export restrictions that I am aware of on non-crypto
> software . . .   Hence, your request for either US State or Commerce
> Department permission to distribute V4 "bones" at this point, and the
> implication that this is a required action, seems to just muddy the
> waters.

It is not required that you get formal permission from the State Dept.
or the Commerce Dept. before exporting non-cryptographic software.
However, the penalties for mistakes are severe -- including 10-year
jail terms -- so prudence is advisable.

Cygnus ships its other products worldwide without worrying about
export issues; mistakes there are unlikely.  But when it comes to
software that *used to be* embargoed crypto software -- the K4 "Bones"
-- we thought it prudent to get official notification from the
government that the "Bones" were exportable.  You-all and I realize
that the intent of the Bones was to make exportable software; the
question was whether that intent had been realized, to the
satisfaction of the government.  The "new" work that Cygnus
accomplished was to verify that the intent *was* realized.

Personally I would not attempt to export a "sanitized" K5 without
getting explicit, official adjudication that it was not embargoed.  If
a question ever came up later, it would be VERY handy to show those
documents to a judge, rather than basing your defense on the "But I
thought the law said..." model.

The whole of Kerberos itself is fully exportable if you read the rules
in a certain way; it does authentication, authentication is not
controlled by the State Dept, and the Commerce Dept allows publicly
available software of any kind to be exported.  There'd be no need for
the Bones at all.  But what exactly is authentication and when does it
stretch into information hiding?  Does sending a change_password
request using mk_priv constitute authentication, since the privacy
only extends to the authentication information?  Does the existence of
lower level DES routines in the source code scotch any attempt to
export source code?  Only the government knows for sure -- and the way
we find out what it officially thinks is by submitting CJ requests.
(If you do this, send me email and I'll add the CJ and response to the
crypto export archives.)

The NSA interest is actually served by having uncertainty regarding
crypto export -- it will encourage cautious people to not even try,
and will encourage incautious fools to step way over the line so they
can be skewered to publicize the controls.  In this way, NSA can exert
a larger actual control than the Constitution, laws, and regulations
theoretically permit.  (I have Justice Dept. legal documents, obtained
under FOIA, that show that the Office of Legal Counsel there believes
that the export laws are unconstitutional as applied to technical data
-- including software -- which is protected under the First Amendment.)
It is in *our* interest as a society to have this uncertainty be
resolved -- by asking the questions, publishing the official results,
and publicly questioning the strange results (like the software that's
exportable on paper but not on floppy).  Then people who desire to
live within the law will know what is allowed and what is not allowed.

I agree that protracted discussion of crypto export should move to
a more appropriate forum -- perhaps comp.org.eff.talk.  Further
discussion of K4 and K5 export should stay here in kerberos@mit.edu
or comp.protocols.kerberos.

	John Gilmore