Old UNIX ftp archive - access ideas

Warren Toomey wkt at henry.cs.adfa.oz.au
Fri Aug 1 13:19:52 AEST 1997 

Dear PDP-11 & old Unix enthusiasts,

Status report of our petition to SCO about UNIX src licenses. I received this
from Dion Johnson last week:

	Warren,

	Thanks for your latest news.  That's great about the signatures.
	Yes, I perused the earlier list and it's really amazing that
	we have such famous support for this.  I am sure it will be
	a great PR victory when we finally get this arranged.

	Our exec VP (Doug Michels) is on your side.  I am annoying our
	legal folks, bless their hearts. :-)  They have a job to do also and
	I want to be sure we are protecting SCO's interests in the code
	in the right ways.

	I expect an answer in a week or so.  I suspect there will be
	further internal iterations here as we craft a license that works
	for all parties.

	So the right answer to publish is:

	"SCO is pleased to entertain this request from so many loyal and
	famous fans of UNIX.  We are looking into how we can provide this
	source code.  No promises at this time, since there are some
	intellectual property issues that must be resolved, but we will
	do what we can."

I'll email when I hear more. It occurred to me that if SCO agree to src
licenses and people buy them, then they will of course want the software.
I already make the stuff available to several people, on the trust that they
have existing src licenses (e.g show me the first 100 lines of v7 nami.c etc.)
At the moment, it's all sitting as .tar.gz files on my desktop box.

If I become the `central repository' for the software, then I'd like to
set up access procedures which ensure that only legitimate users can access
the archive, and that eavesdropping or hacking access to the archive
shouldn't divulge its contents easily.

I'm after comments from you guys, the end users of the archive, as to what
sounds good, ok, bad, annoying and/or plain stupid to you.

Proposal
--------

Make the archive available via FTP:

	- To prevent capture of ftp passwords, I suggest that each license
	  owner has an ftp account, and authentication is done using S/Key.

	  To distribute the S/Key key phrase or a number of S/Key pass
	  phrases to the license owners, I suggest using PGP email.

Keep the archive files encrypted:

	- This will stop hackers who penetrate the archive from getting the
	  plaintext version of the files. I suggest using PGP with a very
	  large key size to encrypt the files. The key won't be kept on the
	  archive machine.

Transmission to license owner - Suggestion A:

	- Transmit the PGP encrypted files `as is' to the license owner
	  via ftp. Shortcoming: every license owner has the same private
	  key required to decrypt the files. A hacker only needs to find
	  one vulnerable license owner to get the key.

Transmission to license owner - Suggestion B:

	- On-the-fly PGP encrypt the files using a key specific to the
	  license owner. Shortcoming: end user must have a personal key
	  plus the common key, and must decrypt everything twice.

Transmission to license owner - Suggestion C:

	- On-the-fly decrypt the archive file, and on-the-fly re-encrypt
	  it using a key specific to the license owner. End user only needs
	  one personal PGP key to decrypt the file. Shortcoming: the key
	  required to decrypt the file back to plaintext must exist on the
	  archive server. Hackers who break-in can thus get plaintext.

	  I think I prefer Suggestion A. For all 3 suggestions above, PGP
	  private keys will be sent to license holders using PGP email.

Anyway, this is an off the cuff set of ideas. I certainly want to keep
my butt from being sued off by SCO :-), and so I need to authenticate users,
keep audit trails of downloads and logins, and take reasonable steps to
prevent non-legitimate users from accessing the licensed material.

I'd really like feedback from you about the proposed scheme for providing
access to this old UNIX software!

Thanks in advance,

	Warren	wkt at cs.adfa.oz.au

More information about the TUHS mailing list