[3358] in Kerberos
Kerberos-5 worldwide -- it's possible
daemon@ATHENA.MIT.EDU (John Gilmore)
Wed Jun 1 16:42:31 1994
To: kerberos@MIT.EDU, network-security@cygnus.com
Cc: Tony Melvin <tony@sodalia.it>
Cc: ccslsn@midge.bath.ac.uk
In-Reply-To: Your message of "Wed, 01 Jun 1994 15:06:23 +0700."
<9406011336.AA22181@MIT.EDU>
Date: Wed, 01 Jun 1994 13:30:54 -0700
From: John Gilmore <gnu@cygnus.com>
> At Bath University, we run Kerberos version 4 in an attempt to prevent
> unauthorised use of our computers. We would like to acquire version 5,
> particularly as we plan to upgrade to Solaris 2.3, but we are unsure how
> to obtain a legal copy.
Cygnus would like to explore with foreign organizations a way to
legally produce a Kerberos-5-compatible network security
implementation for use outside the United States.
> (1) obtain an export licence for a stripped-down version of Krb5
> without data encryption, then put it back together again with non-US
> data encryption library calls. Getting the export licence shouldn't be
> all that difficult, but I suppose that you'll need a US company to do
> it on your behalf, since it's to be exported.
Cygnus would be pleased to do this work; we've done the paperwork
already for exporting a stripped Kerberos 4 (see
http://www.cygnus.com/~gnu/export.html for a full copy). We would do
the technical work to remove parts of Kerberos as needed for export,
and get all the required export permissions.
We would require non-US collaborators with the local expertise needed
to reproduce -- from scratch and publicly available materials, not by
reading illicit copies of K5! -- the parts that we had to remove for
export.
> (2) pay for someone else to do the above by buying Kerberos from them. This
> way you also get product support and a nice admin. GUI etc. OSSG, now called
> CyberSAFE, and other companys offers this.
Cygnus Support is in this business as well -- with the difference that
the code we support and improve for our customers is freely available
to everyone. You pay for the support we give you, not for the right to
run or reproduce the software.
I don't know of another company that provides international Kerberos
support with full source code available. Other companies' products,
besides being proprietary, are binary-only outside North America
because of the choices they made in getting export clearance.
A collection of organizations could join forces and finances to
contract with Cygnus to provide the initial exportable port, possibly
to manage the foreign production and re-integration of replacements
for the embargoed code, and then to provide support to the contracting
organizations for deployment in their networks. The results would be
available to the entire worldwide networking community, and the
necessary changes would be integrated back into the MIT K5 release.
(E.g. the North American version could adopt the foreign
implementation of DES, if it was written as well as Dennis Ferguson's
Canadian code. We could still not export the combination of Kerberos
and DES code until the U.S Government regains its sanity. But at
least the exportable diffs for new Kerberos releases at MIT would be
plug-compatible with the crypto code that would already be available
from worldwide non-US archive sites.)
John Gilmore
