Exporting applications that link to Kerberos

brlcad brlcad at mac.com
Tue Sep 28 23:32:12 EDT 2004

Some of the devs to a project I work on (a popular open source game) 
spent some of the past week or two linking our registration system up 
with Kerberos.  The game basically performs the necessary ticket init 
behind the scenes against a specifically set kdc domain, gets those 
tickets and passes them along to the game server(s) who then allow the 
user access.  It all actually mostly works and is pretty nifty 
conceptual proof that didn't take long.  That said -- now we're down to 
the more practical and pedantic legal issues of whether we can actually 
distribute the game if it links against Kerberos libraries due to 
export restrictions.

I have read the Kerberos FAQ and see that this is mostly an issue "up 
in the air" that should really be consulted with lawyers.  
Unfortunately, our little distributed team of devs around the world 
doesn't really have the ability to do that easily, much less with our 
"budget".  So, of course, I'm hoping I can get some insight from you 
kind folk that hear this question much more often than I do.

In our particular distribution situation, we're in the large class of 
folks using the SourceForge file release system, utilizing sf's servers 
for actual distribution.  I have no idea if sf's fleet of file servers 
blocks any or all of the 7 or so export-restricted countries that are 
often mentioned as the only problematic ones.  I can, of course, ping 
sf support on the issue but the bigger question is whether or not it's 
really an issue.

While we wouldn't be distributing Kerberos sources for sure, there is 
the possibility that we would distribute, for example, dll's for the 
Windows folk that don't have a useable Kerberos library.  Likewise we 
may be linking statically or dynamically on other systems.  If any of  
those are a problem, then it's a deal-breaker since we won't impose it 
upon our users to "get the library on their own" as part of the 
installation process.

Thanks in advance for any advice and insight into this issue.  We'd 
love to move forward with this and even perhaps serve as an example to 
other open source projects/games that involve some sort of runtime 
registration system.  Thanks again.


More information about the Kerberos mailing list