Steve Salkin (salkin@mindspring.com)
Wed, 22 Jul 1998 23:51:00 -0400
Thank you to all of you who have replied here and in private email. I
recognize that none of you have represented yourselves as lawyers, and so
on. However, I will summarize below what I take to be a consensus of
conclusions that I have received.
(1) Can I avoid ITAR regulations by going out of the country to do the work?
No, you cannot. You must fill out forms with the Dept. of Commerce and get
their approval. Failure to do this can result in loss of citizenship and
jail time should you return to the US in the future.
(2) Is it OK to export strong crypto systems if they are used only to
encrypt authentication information?
Yes, this is a specific exemption in the export regulations. The rest of
the data must be sent in the clear.
(3) Can I import strong crypto code, change it, and export it again without
running afoul of the law? What if I don't change the crypto part of a
larger project?
No, this is called "re-export" and is subject to the same regulations as an
original export.
===
I am still not clear about source code patches, you know, like the "context
diffs" used by the GNU utilities. If I see some crypto code on an
Australian site, notice a potential bug or speedup, and send a source patch
is that subject to all these regulations too?
Other then that, all is clear. Thanks again.
Steve
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:50 ADT