Status report of our petition to SCO about UNIX src licenses

From: Warren Toomey < wkt@henry.cs.adfa.oz.au>
Message-Id: <199708010319.NAA10575@henry.cs.adfa.oz.au>
Subject: Old UNIX ftp archive - access ideas
To: oldunix@minnie.cs.adfa.oz.au (PDP Unix Preservation)
Date: Fri, 1 Aug 1997 13:19:52 +1000 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Dear PDP-11 & old Unix enthusiasts,

Status report of our petition to SCO about UNIX src licenses. I received this
from Dion Johnson last week:

	Warren,

	Thanks for your latest news.  That's great about the signatures.
	Yes, I perused the earlier list and it's really amazing that
	we have such famous support for this.  I am sure it will be
	a great PR victory when we finally get this arranged.

	Our exec VP (Doug Michels) is on your side.  I am annoying our
	legal folks, bless their hearts. :-)  They have a job to do also and
	I want to be sure we are protecting SCO's interests in the code
	in the right ways.

	I expect an answer in a week or so.  I suspect there will be
	further internal iterations here as we craft a license that works
	for all parties.

	So the right answer to publish is:

	"SCO is pleased to entertain this request from so many loyal and
	famous fans of UNIX.  We are looking into how we can provide this
	source code.  No promises at this time, since there are some
	intellectual property issues that must be resolved, but we will
	do what we can."

I'll email when I hear more. It occurred to me that if SCO agree to src
licenses and people buy them, then they will of course want the software.
I already make the stuff available to several people, on the trust that they
have existing src licenses (e.g show me the first 100 lines of v7 nami.c etc.)
At the moment, it's all sitting as .tar.gz files on my desktop box.

If I become the `central repository' for the software, then I'd like to
set up access procedures which ensure that only legitimate users can access
the archive, and that eavesdropping or hacking access to the archive
shouldn't divulge its contents easily.

I'm after comments from you guys, the end users of the archive, as to what
sounds good, ok, bad, annoying and/or plain stupid to you.

Proposal
--------

Make the archive available via FTP:

	- To prevent capture of ftp passwords, I suggest that each license
	  owner has an ftp account, and authentication is done using S/Key.

	  To distribute the S/Key key phrase or a number of S/Key pass
	  phrases to the license owners, I suggest using PGP email.

Keep the archive files encrypted:

	- This will stop hackers who penetrate the archive from getting the
	  plaintext version of the files. I suggest using PGP with a very
	  large key size to encrypt the files. The key won't be kept on the
	  archive machine.

Transmission to license owner - Suggestion A:

	- Transmit the PGP encrypted files `as is' to the license owner
	  via ftp. Shortcoming: every license owner has the same private
	  key required to decrypt the files. A hacker only needs to find
	  one vulnerable license owner to get the key.

Transmission to license owner - Suggestion B:

	- On-the-fly PGP encrypt the files using a key specific to the
	  license owner. Shortcoming: end user must have a personal key
	  plus the common key, and must decrypt everything twice.

Transmission to license owner - Suggestion C:

	- On-the-fly decrypt the archive file, and on-the-fly re-encrypt
	  it using a key specific to the license owner. End user only needs
	  one personal PGP key to decrypt the file. Shortcoming: the key
	  required to decrypt the file back to plaintext must exist on the
	  archive server. Hackers who break-in can thus get plaintext.

	  I think I prefer Suggestion A. For all 3 suggestions above, PGP
	  private keys will be sent to license holders using PGP email.

Anyway, this is an off the cuff set of ideas. I certainly want to keep
my butt from being sued off by SCO :-), and so I need to authenticate users,
keep audit trails of downloads and logins, and take reasonable steps to
prevent non-legitimate users from accessing the licensed material.

I'd really like feedback from you about the proposed scheme for providing
access to this old UNIX software!

Thanks in advance,

	Warren	wkt@cs.adfa.oz.au

From: Warren Toomey < wkt@henry.cs.adfa.oz.au>
Message-Id: <199708010402.OAA10623@henry.cs.adfa.oz.au>
Subject: Re: ideas re UNIX licensed distribution
To: oldunix@minnie.cs.adfa.oz.au (PDP Unix Preservation)
Date: Fri, 1 Aug 1997 14:02:29 +1000 (EST)
In-Reply-To: <199708010345.UAA27393@generic.yamato.com> from "Robert J. Kelley" at "Jul 31, 97 08:45:03 pm"
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

In article by Robert J. Kelley:
> 
> Why not just use SSH: verified licensees could submit keys and
> the archive server would keep them on file.  scp could be used
> to retrieve the files.

I'd still have to encrypt the archive files that are resident on disk.
Also, ssh is more of a `general' login account. scp would allow someone
to retrieve /etc/password :-)

If I could restrict scp access, that'd be an ok alternative.

	Warren

From: Warren Toomey < wkt@henry.cs.adfa.oz.au>
Message-Id: <199708010433.OAA10684@henry.cs.adfa.oz.au>
Subject: Re: Old UNIX ftp archive - access ideas
To: oldunix@minnie.cs.adfa.oz.au (PDP Unix Preservation)
Date: Fri, 1 Aug 1997 14:33:26 +1000 (EST)
In-Reply-To: <199708010412.VAA15987@moe.2bsd.com> from "Steven M. Schultz" at "Jul 31, 97 09:12:05 pm"
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

In article by Steven M. Schultz:
> > Make the archive available via FTP:
> 
> 	Convenient but the management of "accounts" and S/Key or PGP keys
> 	could be a real logistic nightmare.
> 
> 	Have you considered putting the archive on CDrom and shipping that
> 	upon receipt of a copy of the license?  Naturally there would be
> 	a modest fee for the media and shipping.
> 
> 	Probably would want a "mirror" shipping office in the US.
> 
> 	The reason I asked the "what will most folks want" question earlier
> 	was that perhaps folks only want a handful or a couple pieces.  CDrom
> 	writing is extremely simple (I think FreeBSD makes it harder or more
> 	complex than other systems though) - perhaps folks could, with the
> 	request for a CD specify which parts they want and a "custom" CD
> 	could be created.
> 
> 	This approach does have its own set of problems but it does do away
> 	with network snooping, outages and breakins.  The archive could be 
> 	offline or encrypted with a key known only to you - if you needed to
> 	make something available you could decrypt a copy and make it available
> 	for a small timewindow.
> 
> 	I know I'm planning on creating a few CDs to safeguard the stuff I've
> 	obtained so far - good (and cheap) protection against disk crashes
> 	and unreadable backup tapes.
> 
> 	A variation on this scheme would be to master a CD with everything
> 	on it and let SCO send the CD out along with the license when 
> 	payment is received.  Hmmmm - I kinda like this the more I think
> 	about it.  Might even get some nice artwork (the BSD 'imp'?) on
> 	the cover.  I'm sure SCO gets a real good rate at the CD pressing
> 	plant so the media cost would be lower than an individual doing it
> 	on a CDwriter.

> 	Perhaps the online/FTP archive could be a backup or secondary
> 	means of distribution - if someone convinces you (or sends a copy
> 	of the license) they have the license but lost the media, etc you
> 	could set up a PGP encrypted account for them.

> 	Cheers.
> 	Steven

Yes, I'd thought about cutting a CD directly from the current archive,
and certainly having someone (SCO, me?) distribute files on CD would
make the administration a lot easier. I guess license holders could
buy `upgrade CDs' if the archive changes.

If SCO come to the src license party, I certainly will ask them about
pressing CDs and distributing them as part of the license sale.

Thanks for the input Steven!

	Warren

Message-Id: < m0wuC9m-000Hq5C@mbsks.franken.de>
From: m@mbsks.franken.de (Matthias Bruestle)
Subject: Re: Old UNIX ftp archive - access ideas
In-Reply-To: <199708010319.NAA10575@henry.cs.adfa.oz.au> from Warren Toomey at "Aug 1, 97 01:19:52 pm"
To: oldunix@minnie.cs.adfa.oz.au (oldunix)
Date: Fri, 1 Aug 1997 09:29:48 +0200 (MET DST)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Mahlzeit


According to Warren Toomey:
> If I become the `central repository' for the software, then I'd like to
> set up access procedures which ensure that only legitimate users can access
> the archive, and that eavesdropping or hacking access to the archive
> shouldn't divulge its contents easily.
Isn't ftp for a $200-programm secure enough? I'm doing beta testing
for a programm, which costs $1100 and they distribute the passwords
for ftp by unencrypted mail. They do that allready for a few releases
and I don't think they had any problems with that.

> Keep the archive files encrypted:
> 
> 	- This will stop hackers who penetrate the archive from getting the
> 	  plaintext version of the files. I suggest using PGP with a very
> 	  large key size to encrypt the files. The key won't be kept on the
> 	  archive machine.
I don't think you need a very large key. Everyone, which has the
choice to crack a 512bit key or to pay $200, would choose to pay.

> I'd really like feedback from you about the proposed scheme for providing
> access to this old UNIX software!
I think pgp is to difficult to use for some. You could use a simple
encryption programm like: ftp://isidor.ethz.ch/pub/simpl/safer.V1.1.tar.Z
which should be very portable. The passphrase could be distributed on
the license.


Mahlzeit

endergone Zwiebeltuete

-- 
insanity inside