rayan@ai.toronto.edu (Rayan Zachariassen) (01/31/89)
>From README.ftp in the distribution location:
Copyright (C) 1989 by the Massachusetts Institute of Technology
DISTRIBUTION OF THIS SOFTWARE IS RESTRICTED TO THE UNITED STATES OF
AMERICA. EXPORT IN ANY FORM IS FORBIDDEN.
... and from the small copyright file in the same place:
/*
Copyright (C) 1989 by the Massachusetts Institute of Technology
Export of this software from the United States of America is assumed
to require a specific license from the United States Government.
It is the responsibility of any person or organization contemplating
export to obtain such a license before exporting.
...
*/
Read it and weep.
My impression is that Kerberos (at least as applied at MIT-ATHENA) turns
any workstation into a single-user box. That severely decreases its utility.lamy@ai.utoronto.ca (Jean-Francois Lamy) (01/31/89)
As I understand things, Kerberos has parts that may not be exported outside the US, or at least parts whose status wrt exportation has not been determined. Jean-Francois Lamy lamy@ai.utoronto.ca, uunet!ai.utoronto.ca!lamy AI Group, Department of Computer Science, University of Toronto, Canada M5S 1A4
ian@sq.uucp (Ian F. Darwin) (01/31/89)
Has anybody picked up the "official" release of Kerberos yet or is everybody too busy packing up for USENIX?
chk@dretor.dciem.dnd.ca (C. Harald Koch) (02/01/89)
In article <1989Jan30.175744.11411@sq.uucp> ian@sq.com (Ian F. Darwin) writes: >Has anybody picked up the "official" release of Kerberos yet >or is everybody too busy packing up for USENIX? There is an export restriction specified all over both the posting to the net and the distributiuon at MIT. Kerberos MAY NOT BE EXPORTED FROM THE US! Therefore, no, no-one has grabbed it, and if they have, they better not admit it. :-) -- C. Harald Koch NTT Systems, Inc., Toronto, Ontario chk@zorac.dciem.dnd.ca, chk@gpu.utcs.toronto.edu, chk@chkent.UUCP "I give you my phone number. If you worry, call me. I'll make you happy."
keithh@atreus.uucp (Keith Hanlan) (02/01/89)
In article <1421@dretor.dciem.dnd.ca> chk@dretor.dciem.dnd.ca (C. Harald Koch) writes: >There is an export restriction specified all over both the posting to the >net and the distributiuon at MIT. Kerberos MAY NOT BE EXPORTED FROM THE US! > >Therefore, no, no-one has grabbed it, and if they have, they better not >admit it. :-) Actually, it says that exporters are assumed to have done the legal necessaries. If I ftp Kerberos from MIT, it is MIT that is the exporter and I would be in the clear. I am merely the IMPORTER. My conscience is clear. :-) To be truthful, I haven't bothered though. We looked at Kerberos last fall, and found it not quite suitable for our rather specialized environment. Disclaimer: These opinions are mine and do not necessarily reflect those of my employer. Keith Hanlan {uunet!attcan!}utgpu!bnr-vpa!bnr-fos!atreus!keithh Bell-Northern Research Ottawa, Canada
gamiddleton@watmath.waterloo.edu (Guy Middleton) (02/07/89)
In article <89Jan30.204455est.38031@neat.ai.toronto.edu> rayan@ai.toronto.edu (Rayan Zachariassen) writes: > >From README.ftp in the distribution location: > > Copyright (C) 1989 by the Massachusetts Institute of Technology > > DISTRIBUTION OF THIS SOFTWARE IS RESTRICTED TO THE UNITED STATES OF > AMERICA. EXPORT IN ANY FORM IS FORBIDDEN. > > ... and from the small copyright file in the same place: > > /* > Copyright (C) 1989 by the Massachusetts Institute of Technology > > Export of this software from the United States of America is assumed > to require a specific license from the United States Government. > It is the responsibility of any person or organization contemplating > export to obtain such a license before exporting. Our University Lawyers tell me that the export regulations do not apply to Canada. I have sent mail to MIT about it. I suspect that it is legal to FTP this stuff; more info coming when I am sure. -Guy
yap@me.utoronto.ca (Davin Yap) (02/07/89)
In article <23469@watmath.waterloo.edu> gamiddleton@watmath.waterloo.edu (Guy Middleton) writes: >In article <89Jan30.204455est.38031@neat.ai.toronto.edu> rayan@ai.toronto.edu (Rayan Zachariassen) writes: >> >From README.ftp in the distribution location: >> >> Copyright (C) 1989 by the Massachusetts Institute of Technology >> >> DISTRIBUTION OF THIS SOFTWARE IS RESTRICTED TO THE UNITED STATES OF >> AMERICA. EXPORT IN ANY FORM IS FORBIDDEN. >> >> ... and from the small copyright file in the same place: >> >> /* >> Copyright (C) 1989 by the Massachusetts Institute of Technology >> >> Export of this software from the United States of America is assumed >> to require a specific license from the United States Government. >> It is the responsibility of any person or organization contemplating >> export to obtain such a license before exporting. > >Our University Lawyers tell me that the export regulations do not apply to >Canada. I have sent mail to MIT about it. I suspect that it is legal to FTP >this stuff; more info coming when I am sure. > > -Guy Question: Does this also apply to the BRL CAD package? From what I can gather, these guys want us to send a tape to the Canadian Ambassador in Washington, and he'll ask them (BRL) to make a copy for us! Sites in the states can arrange to to ftp the stuff. Davin.
gamiddleton@watmath.waterloo.edu (Guy Middleton) (02/16/89)
In article <23469@watmath.waterloo.edu> gamiddleton@watmath.waterloo.edu (Guy Middleton) [that's me] writes: > Our University Lawyers tell me that the export regulations do not apply to > Canada. I have sent mail to MIT about it. I suspect that it is legal to FTP > this stuff; more info coming when I am sure. I received this reply when I queried MIT about the situation: From jon@BITSY.MIT.EDU Wed Feb 8 03:12:29 1989 From: Jon Rochlis <jon@BITSY.MIT.EDU> Date: Wed, 8 Feb 89 00:40:17 EST I've heard the same thing about export to Canada, though I can't state that as an offical MIT position. If your lawyers say its okay I would just do it and not worry about it, but that's just my personal opinion. -- Jon Also, included in the Kerberos distribution, in the 'doc' directory, is a file 'kerberos.mail', which contains a discussion of export problems. Here is an edited version of one of the messages in that discussion: From: ehrgood@wnpv01.enet (TOM EHRGOOD, WNP, DTN 427-5698) To: @cryptomemo.dis, ehrgood Subject: Crypto Export Controls - Answer To Gilmore [ ... ] Gilmore, which we received on January 28th. Gilmore's memo, which I am separately forwarding, argues that the posting of cryptographic software to certain widely available bulletin boards places that software in the "public domain," with the consequence that export licenses are not required for the exports of that software. Gilmore's analysis has been given wide distribution on various networks. Gilmore is mistaken in his analysis and in his conclusion. Given the high national security sensitivity of cryptography, generally, and DES encryption, specifically, it is important to set the record straight. The fundamental points that Gilmore gets wrong are: o Exports of cryptographic software are governed by the State Department's International Traffic in Arms Regulations ("ITAR"), not by the Commerce Department's Export Administration Regulations ("EAR"). Exports would be governed by Commerce's EAR only if State waived jurisdiction. o Although State Department regulations contain a "public domain" exemption for technical data, cryptographic software does not qualify as "technical data," and thus the "public domain" exemption does not apply. A legal analysis follows. [ ... ] Part 123 of ITAR contains rules governing export licenses for the export of "defense articles." The basic rule is stated in Section 123.1(a) as follows: Any person who intends to export a defense article must obtain a license from the Office of Munitions Control prior to the export unless the export qualifies for an exemption under the provisions of this Subchapter. Part 123 sets forth a number of exemptions in sections 123.16 through 123.22. None is these exemptions covers the posting of cryptographic software on a bulletin board. Section 126.5 exempts from the licensing requirement any exports of unclassified defense articles or unclassified technical data to Canada for end-use in Canada or return to the United States. This exemption would be potentially applicable only if the ONLY exports that might take place as a result of the bulletin board posting were exports to Canada. (See section 120.10, which defines "export" to include "[s]ending or taking defense articles outside the United States in any manner.") In any event, care would have to be taken to ensure that applicable documentation requirements are met to invoke properly the exemption. [ ... ] What has complicated the picture and confused Gilmore is that Commerce's Commodity Control List -- Commerce's counterpart to the United States Munitions List -- contains a category 1527A covering "cryptographic equipment . . . and software controlling or performing the function of such cryptographic equipment." Gilmore identified this regulatory control provision, but he misinterpreted it. Gilmore found the note in category 1527A, which states that Exporters requesting a validated license from the Department of Commerce must provide a statement from the Department of State, Office of Munitions Control, verifying that the equipment intended for export is under the licensing jurisdiction of the Department of Commerce. Gilmore mistakingly says, however, that "we are not requesting a validated license, we are using the general license, so this requirement does not apply . . . ." Gilmore missed the 1527A heading: "Validated License Required: Country Groups QSTVWYZ." These designated country groups comprise every country in the world except Canada. Consequently, a validated license issued by Commerce is required in order to make any export of 1527A-controlled cryptographic software. And because a validated license is required, exporters seeking such a license must, per the note quoted above, submit a State Department statement "verifying" that Commerce has jurisidiction over that cryptographic software. Such a statement would generally take the form of an ITAR section 120.5 commodity jurisdication determination. In sum, unless the State Department has issued a statement verifying Commerce jurisdiction over the cryptographic software that Gilmore has in mind, Commerce's controls do not apply. And without such a statement, Gilmore's analysis of section 379.3 of EAR (General License GTDA) is completely irrelevant. III. Conclusions ----------- Gilmore's conclusion that the posting of cryptographic software to a bulletin board places it in the public domain and thus exempts it from export licensing controls is flat-out wrong. U.S. law is clear: in order to export "cryptographic software" within the meaning of Category XIII(b) of the United States Munitions List to any country other than Canada, a State Department export license is required. If there is any reason to believe or suspect that a non-U.S. or non-Canadian national will gain access to that bulletin board, an export to a third country should be assumed and a license is required.. If there is any question whether specific encryption software constitutes "cryptographic software" within the meaning of Category XIII(b), clarification can be obtained under procedures established pursuant to section 120.5 of ITAR. A determination from State under 120.5 that it does not have jurisdiction is the prerequisite to bringing the control question into Commerce's export regulations. --- -Guy Middleton, University of Waterloo gamiddleton@watmath.waterloo.edu
clewis@ecicrl.UUCP (02/16/89)
After having gone thru a screaming match with John Gilmore and a few other
things, I think I can clarify things a little -
1) Public domain software, subject to some exclusions, can be exported
anywhere without being subject to export licensing or
restrictions (DOC regs that John Gilmore turned up).
2) Copyright/patented/etc. software can exported, subject to some
exclusions, *most* places. The places where you can't export
to are generally countries that don't recognize copyright.
Eg: Korea used to be in this category, and Brazil still is.
Some differentiations are made w.r.t. binary versus source etc.
In many cases it is possible to export to a country normally
restricted by filling out the appropriate license. I was involved
with a UNIX export to Korea, and can attest to the amount of forms
that needed to be filled out - though they were mostly to do
with the hardware.
3) Exclusions: throughout the US regulations there are a number of
notwithstanding clauses pointing at other legislation. The one
John Gilmore missed (regarding a PD C implementation of DES) was
a "Munitions Export" reg. You see, *all* encryption technology
is considered a "munition" and is covered under the appropriate
export restrictions. There are three or four country "categories"
here, where the most restrictive is places like Albania, USSR etc.
Next is places like China and Yugoslavia, and finally Canada and
Britain in the least restrictive category. And, each type of
encryption mechanism is restricted in different ways.
For example, it is forbidden to export Enigma to Great Britain
(which is ridiculous, considering that it was Britain that broke
it during WWII). If I understand correctly, DES "implementations"
(either in hardware or software) can only be exported to countries
in the same category as Canada, *MUST* be licensed per-customer,
and *MUST* be used only for "banking" or "message authentication"
purposes.
This is likely to be the reason why Kerberos is restricted.
Therefore, you should enquire with the US DOC for final
clarification.
This may also be the case with certain Operating Systems (eg:
secure ones) and a few other things.
An ordinary CAD package shouldn't be covered under (3).
To a certain respect, the restrictions on hardware follow the same guidelines.
FYI: The US DOC lifted the ban on export of 8Mhz 286 CPU chips to the USSR
last fall...
--
Chris Lewis, Markham, Ontario, Canada
{uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis
Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request
(or lsuc!gate!eci386!clewis or lsuc!clewis)