OpenBSD-4.6/usr.sbin/afs/src/rx/transarc
From Tony_Mauro@transarc.com Wed Nov 20 22:08:16 1996
Date: Wed, 17 Jul 1996 15:35:18 -0400 (EDT)
From: Tony_Mauro@transarc.com
To: shadow@dementia.org
Cc: Ken_Ziolkowski@transarc.com, Kathleen_Rizzuti@transarc.com
Subject: answer on TR-20916
Dear Derrick:
Transarc's licensing coordinator, Ken Ziolkowski, asked me to write to you
about TR-20916, to share what he learned at a recent IBM seminar on
export controls in Washington DC.
While at the seminar, he discussed with several IBM experts on US
export regulations your proposed mechanisms for protecting the
"DES-contaminated" parts of Rx. Unfortunately, they do not feel that
your proposals are sufficient. I'm referring specifically to the
possibilities you described in your mail of 6-21-96:
2) Create a patch and do one of:
a) place it in a hidden directory on an ftp server, forcing users who
wish to fetch it to telnet to the machine and log in as
"getrx". (telnet to bitsy.mit.edu and log in as getpgp, for
instance) The directory is moved every 30 minutes.
b) have users send me email certifying that they are U.S. citizens, at
which point they will be given a pointer to the hidden
directory. The directory would be moved daily, like getting Kerberos
from Cygnus.
Possibility (b) is more secure than (a), but it still falls short in
two respects:
- email certification of US citizenship is not sufficient. It is
not that hard to masquerade as someone other than your true
identity, and even (I believe) to fake a US/Canada origination
address when outside those countries. You need to get written
certification, as I'll detail below.
- in addition to certification of citizenship, requesters need to
certify that they will not redistribute the software to anyone
ineligible to receive it.
Transarc could approve your third possibility
c) I have contacted people at MIT to see if they would be interested
in doing distribution; It may be possible to arrange with someone
there to do distribution using their existing channels.
on the assurance that MIT's channels would control access to DES
as strictly as Transarc must do when it distributes software.
The forms of redistribution that Transarc can approve are:
First, you may redistribute the Rx source code that does not "contain any
DES algorithms which can be used to encrypt data." In other words,
you may implement the following part of your 6-21-96 mail:
1) Strip away anything which might possibly be export-controlled, and
create a "clean" version, which will be advertised, and put in a
public place. Presumably removing des and rxkad, plus possibly a bit
more (I haven't looked yet) will be sufficient for this purpose.
The US Government classifies such software as "GDTA" (I don't know
what that stands for). Here are some guidelines that Ken picked up at
the seminar about distributing it:
When providing GTDA software over the network (whether
by FTP, Web Site or other electronic means):
1. software must be provided on a 'no charge' basis.
2. the provider may not impose limitations or constraints on
the use of the software; e.g. no 'license or use' provisions are
applicable. The software is truly 'publicly' available.
3. generally, it should be made available on an anonymous basis; that
is, you aren't collecting names and addresses. While we may be able to
preserve the characteristics of GTDA if we collect names and addresses
e.g. for future marketing purposes, I think it's much easier to
reconcile when we don't collect the names.
Second, for your own protection against prosecution, we must strongly
recommend that you drop the idea of distributing the DES source
version of Rx. The US Government classifies software that uses the DES
algorithms to encrypt data as a ``munition'' and imposes strict
penalties for non-authorized distribution. If you use mechanism (a) or
(b) from above, you would be in violation of Federal law.
To comply with the law, you would need to have requestors sign a
written copy of something like the following, which is taken from the
AFS License Agreement:
The End-user hereby agrees and acknowledges that any technology and
technical data obtained by the end-user, including the
___________________ software, are under the jurisdiction of the export
control laws and regulations of the United States and that any direct
or indirect export, re-export, license, sale or other transfer of such
technology may require the prior authorization of the United States
government. The end-user expressly warrants that in its activities
under this Agreement it will comply with all applicable laws and
regulations of the United States and its departments and agencies
relating to the export of technical data. In the event of any breach
of the foregoing warranty, the end-user hereby indemnifies
_________________(the parties providing the technology/technical
data/software) and agrees to hold such parties harmless from and
against any loss, liability, cost, damage or expense that such parties
incurs or suffers as a result in any way of the end-user's failure to
comply with such United States laws and regulations.
Obviously, you would need to protect the software against access by
anyone who had not signed such a statement.
The US Government's attitude toward this issue is serious enough that
Transarc would be liable for prosecution if we were aware you were
planning to (or actually did) go ahead and use one of your proposed
mechanisms, and did not try to get you to stop. Therefore, Ken will
be sending you a written confirmation basically repeating what I've
said here.
Ken and I would both like to apologize for any damper this puts on our
plans. We recognize that you are trying to do a service to the
software community, but unfortunately the export laws do not take good
intentions into consideration. Further, we appreciate very much that
you asked us about redistributing Rx before actually doing it. I'm
sorry if you feel penalized for being honest.
Please feel free to call or write me (mauro@transarc.com; 281-5852
x7376) or Ken (kenz@transarc.com; 338-4480) if you have any further
questions.
Tony Mauro
Transarc AFS Support