A question for our local attorneys. There have been several times in the past where people have questioned whether cryptographic hash functions like SHA and the like are exportable under the ITAR? In a joint declaration of facts not in dispute as part of Karn v. State Department, the following was agreed by the government: (see http://www.qualcomm.com/people/pkarn/export/karnsf.html) 34. Three of the source code listings on the diskette and in Part Five of the Applied Cryptography book, MD-5, N-HASH, and SHS are "hashing routines" that perform a data authentication function and, by themselves, are not controlled for export under the ITAR because cryptographic software that is solely limited to a data authentication function is excluded from Category XIII(b) of the United States Munitions List. See 22 C.F.R. 121.1 XIII(b)(vi). Would this not mean that the government is estopped from ever again claiming that hash functions are export controlled under the ITAR? Just curious as to whether or not things have been made more clear... Perry PS they also admit in the same declaration to having broken Enigma in WWII. A shocking revelation.