To summarise: the consensus is that using keyed-MD5 for authentication is ok under ITAR, but using it for confidentiality is out. The reason I wanted to check is that I'm solidifying some of security paramaters for HTTP-NG so we can add them to the test implementation before the Dallas IETF. In addition to the slight problem of having half the development team on the other side of the Atlantic, I want to make at least a subset of the security schemes mandatory, and that means making the core stuff exportable. At the moment, I'm thinking of making the mandatory schemes be Keyed MD5 for authentication, and weakened RC4 with an IV for confidentiality, with the added stipulation being that the user must be informed when key weakening is being used. I may swap RC4 for DES; they're both public domain, but RC4 is simpler. They're both shared key, but I don't make PK stuff mandatory. The other pre-defined schemes I'm planning on getting at least speced are 3-DES and IDEA for confidetiality, SHA for hashing, and RSA & DH for key exchange, signatures, and authentication. Certificate format is currently X.509- PGP format will go in ASAP. Simon --- (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n))))