Exporting applications that link to Kerberos

Christopher Sean Morrison brlcad at mac.com
Wed Sep 29 10:01:20 EDT 2004

While that is good to know, it's a non-starter for our situation.  It's 
okay for our dev team to impose the restriction on ourselves to have a 
certain build environment and set of libraries.  We're not willing, 
though, to impose any such "environment preparation" before our game 
will work.  It's simply not reasonable when we could just as easily 
implement the "same system" using some custom token/password 
mechanisms.  This is a just a game after all. :-)  The interest to use 
Kerberos is more the coolness factor and the assurance of the protocol 
security gives some of the devs warm fuzzies.

Now if we could redistribute the MIT Kerberos Windows Installer, it 
would be easy enough to embed it's installation step into our 
installer.  That said, it still wouldn't answer the question of 
whether, for example, an statically linked binary on Mac OS X could be 
distributed either.  Fortunately, the Macs have the Kerberos framework 
already, so the question is more hypothetical (s/Mac OS X/some random 
linux distro that doesn't have krb/ if that sits better) to any sort of 
our app providing or linking to any binary krb.


On Sep 29, 2004, at 5:01 AM, Jeffrey Altman wrote:

> If your only concern is Windows, then you should advise your
> users to obtain the MIT Kerberos for Windows distribution from
> http://web.mit.edu/kerberos/.  MIT has already obtained the necessary
> approvals it needs to distribute binaries and they are packaged
> in a nice installer.
> Jeffrey Altman
> brlcad wrote:
>> Some of the devs to a project I work on (a popular open source game)
>> spent some of the past week or two linking our registration system up
>> with Kerberos.  The game basically performs the necessary ticket init
>> behind the scenes against a specifically set kdc domain, gets those
>> tickets and passes them along to the game server(s) who then allow the
>> user access.  It all actually mostly works and is pretty nifty
>> conceptual proof that didn't take long.  That said -- now we're down 
>> to
>> the more practical and pedantic legal issues of whether we can 
>> actually
>> distribute the game if it links against Kerberos libraries due to 
>> export
>> restrictions.
>> I have read the Kerberos FAQ and see that this is mostly an issue "up 
>> in
>> the air" that should really be consulted with lawyers.  Unfortunately,
>> our little distributed team of devs around the world doesn't really 
>> have
>> the ability to do that easily, much less with our "budget".  So, of
>> course, I'm hoping I can get some insight from you kind folk that hear
>> this question much more often than I do.
>> In our particular distribution situation, we're in the large class of
>> folks using the SourceForge file release system, utilizing sf's 
>> servers
>> for actual distribution.  I have no idea if sf's fleet of file servers
>> blocks any or all of the 7 or so export-restricted countries that are
>> often mentioned as the only problematic ones.  I can, of course, ping 
>> sf
>> support on the issue but the bigger question is whether or not it's
>> really an issue.
>> While we wouldn't be distributing Kerberos sources for sure, there is
>> the possibility that we would distribute, for example, dll's for the
>> Windows folk that don't have a useable Kerberos library.  Likewise we
>> may be linking statically or dynamically on other systems.  If any of
>> those are a problem, then it's a deal-breaker since we won't impose it
>> upon our users to "get the library on their own" as part of the
>> installation process.
>> Thanks in advance for any advice and insight into this issue.  We'd 
>> love
>> to move forward with this and even perhaps serve as an example to 
>> other
>> open source projects/games that involve some sort of runtime
>> registration system.  Thanks again.
>> Cheers!
>> Sean
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> -- 
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot edu
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list