I don't know the US-Export regulations very well, so please allow a quick one: Maybe a legal way around the keysize-regulation would be: Many US companies have subsidiaries <sp?> outside the US. Some of them are leaded by non-US-citizens. 1) The U.S.-company engineers a software with strong (but legal) crypto for use inside the U.S. The program is sold in the U.S. At the same time the company exports the sourcecode of the program *without* any crypto at all to their subsidiaries. (should be legal) 2) one or more of the subsidiaries include "self-engineered" crypto-routines into the program-"hull" they received from inside the U.S. This program is sold in th subsidiaries countries (Europe etc.) Two things have to be assured: - Both crypto-routines have to be compatible - No U.S.-citizens must be involved in the engineering of the subsidiaries crypto-routines. Any comments? ohuf.