kauffman@UUNET.UU.NET (David Kauffman) (10/23/90)
is kerberos available via anonymous ftp? is there a licencing agreement required? do you know if a commercial implementation has been made available? thanks David Kauffman Network Management Architect Mobile Data International, Vancouver BC
jon@MIT.EDU (Jon A. Rochlis) (10/23/90)
is kerberos available via anonymous ftp? Yes, but you (not MIT) must deal with the export issues. We make it avaible via anonymous ftp, but clearly state that you cannot pull it across internal boundaries. See the README referenced below for more details. is there a licencing agreement required? No. You may even use the code in a commerical product if you wish. You just can't remove the MIT copyright or use MIT's name in advertising without permission. do you know if a commercial implementation has been made available? Several companies have shipped products or are planning on doing so soon. These include DEC, IBM, FTP software, OSF, and Transarc. There are a couple of others I can't mention at this time. -- Jon To retrieve the distribution, ftp to ATHENA-DIST.MIT.EDU (18.71.0.38), login as anonymous (password whatever you like, usually your username@host), then cd to pub/kerberos. Retrieve README.ftp, it has directions on how to get to the rest of the software (it also contains information on who to contact for export versions of the source code with no encryption routines). Distribution is split compressed tar files (xxx.Z.aa, xxx.Z.ab, ...). If you would like to retrieve documents separately, you can get them from pub/kerberos/doc (documents) or pub/kerberos/man (manual pages). If you prefer hardcopy of the documentation, send your address and request to "info-kerberos@athena.mit.edu". Alternatively, you may retrieve the source code and documentation by sending electronic mail to 'archive-server@athena-dist.mit.edu'. The subject line should be with 'index krb-code'. This will return an index of the distribution. To retrieve pieces of the distribution, send mail with a subject 'send krb-code xxxx' where xxxx is the filename as listed in the index. To retrieve documents this way, send a message 'index krb-doc' to get the document index. If you would like to be put on the Kerberos e-mail list ("kerberos@athena.mit.edu"), send your request to "kerberos-request@athena.mit.edu". This mailing list is gatewayed to the USENET newsgroup comp.protocols.kerberos, so if you prefer to read that forum, you need not ask to be added to kerberos@athena.mit.edu. I would like to thank the following people for their assistance in getting Kerberos in shape for release: Andrew Borthwick-Leslie Bill Bryant Doug Church Rob French Dan Geer Andrew Greene Ken Raeburn Jon Rochlis Mike Shanzer Bill Sommerfeld Jennifer Steiner Win Treese Stan Zanarotti FYI, the copyright notice: Copyright (C) 1989 by the Massachusetts Institute of Technology Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. -------- John Kohl MIT Project Athena/Kerberos Development Team
karn@envy.bellcore.com (Phil Karn) (10/26/90)
I hate to reopen the subject of export controls, but recently I had a chance to actually READ the relevant ITAR documents. If I understand them correctly, they no longer prohibit the export of Kerberos since it is "public domain technical data" (as defined by the rules). Here are two items I recently posted on sci.crypt: Newsgroups: sci.crypt From: karn@envy.bellcore.com (Phil Karn) Subject: Re: Cryptography and the Law... Message-ID: <1990Oct22.192542@envy.bellcore.com> Reply-To: karn@thumper.bellcore.com Date: Mon Oct 22 19:25:42 1990 In article <1990Oct16.203545.4347@odin.corp.sgi.com>, nelson@sgi.com (Nelson Bolyard) writes: |> The export of encryption technology is *controlled* (not *ban*ed) by |> two departments of the U.S. Gov't. They control it by issuing (or not |> issuing) export licenses. [...] Has anybody actually LOOKED recently at the regulations to see what they say? Yesterday I saw a copy of the International Traffic in Arms Regulations (ITARs) which are maintained by the US Department of State. It carried a November 1989 date. I was surprised to see that it now includes a blanket exemption for any "technical data" (which I interpret according to their definition to include cryptographic software) that is in the "public domain", which they define as information readily accessible to the public in any of several ways (note that this is different from the intellectual property definition of "public domain"). So it appears that the ITARs now include the same exemption for publicly available information that has long been carried in the Commerce Dept regulations. If so, it seems that there is no longer any reason to worry about the export of Kerberos, any of the various public-domain DES implementations, or indeed implementations of *any* cryptographic scheme as long as the author is willing to publish the code in the open literature. Proprietary systems would still be subject to controls. Has anybody else *recently* looked into this subject? Phil Newsgroups: sci.crypt From: karn@envy.bellcore.com (Phil Karn) Subject: Re: Cryptography and the Law... Message-ID: <1990Oct23.052418.1957@bellcore-2.bellcore.com> Reply-To: karn@thumper.bellcore.com (Phil Karn) Date: Tue, 23 Oct 90 05:24:18 GMT Here are the relevant excerpts from the International Traffic in Arms Regulations (ITAR) (22 CFR 120-130) November 1989: [Definitions] 120.18 Public domain "Public domain" means information which is published and which is generally accessible or available to the public: (a) Through sales at newsstands and bookstores; (b) Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information; (c) Through second class mailing privileges granted by the U.S. Government; or, (d) At libraries open to the public. [US Munitions List] 121.1 (Category XIII) (b) Speech scramblers, privacy devices, cryptographic devices and software (encoding and decoding), and components specifically designed or modified therefore, ancillary equipment, and protective apparatus specifically designed or modified for such devices, components, and equipment. [Part 125 - Licenses for the export of technical data and classified defense articles] 125.1 Exports subject to this part 125.1 (a) The export controls of this part apply to the export of technical data and the export of classified defense articles. Information which is in the "public domain" (see Section 120.18) is not subject to the controls of this subchapter.