On Mon, 20 Jan 1997, Jon Orwant wrote:

I've written a few Perl routines for public-key cryptography. I'd like to freely disseminate the source code (starting with ElGamal) to as many people as I can,

It's my understanding that there are two orthogonal restrictions:

1) ITAResque: I can't give code to non-U.S. citizens. 2) PKPesque: Using public-key crypto is an infringement, although disseminating/possessing the source code is not.

While I'm sure these are oversimplifications, it would seem that I can release my source code over the Internet provided I install a simple verification mechanism (cf. MIT's PGP distribution) to ensure that only people claiming to be U.S. citizens have access privileges.

Am I correct? If so, why aren't more people doing this?

Point 2 is the easier one -- you can research, create, and distribute patented algorithms for free. It is just in using or selling them that you need to get a license from the patent holder (directly or indirectly). Point 1 is a bit muddier, but the new EAR (which replace the ITAR) actually defines what you need to do to freely distribute cryptographic software in North America, essentially describing something like MIT's PGP distribution system and my system at http://www.sni.net/~mpj/usa/warning.htm (at least as far as is practical): ____ (ii) The export of encryption source code and object code software controlled for EI reasons under ECCN 5D002 on the Commerce Control List (see Supplement No. 1 to part 774 of the EAR) includes downloading, or causing the downloading of, such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the U.S., or making such software available for transfer outside the United States, over wire, cable, radio, electromagnetic, photooptical, photoelectric or other comparable communications facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites, unless the person making the software available takes precautions adequate to prevent unauthorized transfer of such code outside the United States. Such precautions shall include: (A) Ensuring that the facility from which the software is available controls the access to and transfers of such software through such measures as: (1) The access control system, either through automated means or human intervention, checks the address of every system requesting or receiving a transfer and verifies that such systems are located within the United States; (2) The access control system, provides every requesting or receiving party with notice that the transfer includes or would include cryptographic software subject to export controls under the Export Administration Act, and that anyone receiving such a transfer cannot export the software without a license; and (3) Every party requesting or receiving a transfer of such software must acknowledge affirmatively that he or she understands that the cryptographic software is subject to export controls under the Export Administration Act and that anyone receiving the transfer cannot export the software without a license; or (B) Taking other precautions, approved in writing by the Bureau of Export Administration, to prevent transfer of such software outside the U.S. without a license. ____ Point (1) above is done at my site, to something of an approximation, by using a .htaccess file. I'm working on improving this, some, due to some server problems, but I think that it is close enough to meet the "such measures as" criteria, especially since (2) and (3) are met pretty literally by the mechanism that routinely breaks links that attempt to bypass the warning page. Of course, this isn't perfect, and no coderpunk worth his salt would have difficulty bypassing the system if he or she were inclined to break the law, but it does allow me to post strong cryptographic software without worrying about breaking the law. Why don't more people do this? Probably because the law has usually been even more muddy than the above, and at least as irrational, and because it is more of a pain than just posting the stuff, which few people want to flaunt their disregard for the law so publicly. There is another, better way, to comply with the above using CGI scripting, but my ISP is reluctant to let me do so, so far. By the way, there is no automated way to add files to my crypto site, but if you are interested in posting quality crypto software, libraries, and documentation (like maybe some DES challenge code or RC5 cracker code), please email me at mpj@csn.net. Michael Paul Johnson Opinions herein are not necessarily Exabyte's. Work: mpj@exabyte.com http://www.exabyte.com Personal: mpj@csn.net http://www.csn.net/~mpj BBS 303-772-1062