On 19 Nov 1997, lcs Mixmaster Remailer wrote:
If someone writes a piece of software, a networking layer, or anything else with support for later cryptographic enhancement but doesn't actually include the cryptographic implementation and it is later added by somebody outside of the United States does this fall under ITAR?
In other words the original U.S. authors wrote the software with support for crypto, function hooks, etc. They didn't include any crypto at all. Somebody outside the United States uses these hooks and writes strong cryptography. These modifications are kept as patches and never exported from the U.S.. Is this allowed? What if the U.S. authors are actively collaborating with the non-US authors?
I've always been told that software with function hooks for crypto was just as unexportable as crypto itself. This however doesn't make any sense, because then anything with a plugin interface falls into that category. Hell, anything that can call external programs would qualify as having a plugin interface, and all web browsers, mail/news readers, IRC clients, editors, and possibly even all operating systems would fall into that category. Of course, this is the goobermint we're dealing with... what did we expect but another arbitrary-arrest law. -- Brian Buchanan brian@smarter.than.nu No security through obscurity! Demand full source code! 4.4BSD for the masses - http://www.freebsd.org