I am seeking information on what constitutes legal conformance to U.S. ITAR when webserving encryption software from within the U.S. I have read pretty much everything I can find online that looked like it might be relavent. Apologies if this is a FAQ that I have some how missed. Part of my confusion stems from the different policies implemented by different vendors on their sites, and also by how those policies have changed over time. For instance, at Netscape one has to provide a tremendous amount of personal info in order to download the domestic version of Communicator. Phone number is required, and there appears to be some automated sanity checking on the phone number/address supplied. This is a sharp contrast to the Cypherpunks Home Page (ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html), where a simple request not too export and an explanation of the ITAR appears to be all that is done. PGP has yet a different standard, directing you to the MIT page which eventually leads to a form (at http://bs.mit.edu:8001/pgp-form.html) that forces you to affirm your citizenship, agree to obry ITAR and obey the RSAREF license, and state that you will only use PGP for noncommercial use. It then appears to do some minimal checking of your ip name/address (it would allow me to download from netscape.com but not from ricochet.net). If anyone can point me at any legal analysis of these different approaches, or has any info to offer on the matter, I'd love to hear about it. thanks, Joe Francis