ITAR

[Brian W. Buchanan]

On 19 Nov 1997, lcs Mixmaster Remailer wrote:

> 
> If someone writes a piece of software, a networking layer, or anything else
> with support for later cryptographic enhancement but doesn't actually
> include the cryptographic implementation and it is later added by somebody
> outside of the United States does this fall under ITAR? 
> 
> In other words the original U.S. authors wrote the software with support for
> crypto, function hooks, etc. They didn't include any crypto at all. Somebody
> outside the United States uses these hooks and writes strong cryptography.
> These modifications are kept as patches and never exported from the U.S.. Is
> this allowed? What if the U.S. authors are actively collaborating with the
> non-US authors?
 
I've always been told that software with function hooks for crypto was
just as unexportable as crypto itself.  This however doesn't make any
sense, because then anything with a plugin interface falls into that
category.  Hell, anything that can call external programs would qualify as
having a plugin interface, and all web browsers, mail/news readers, IRC
clients, editors, and possibly even all operating systems would fall into
that category.  Of course, this is the goobermint we're dealing with...
what did we expect but another arbitrary-arrest law.

-- 
Brian Buchanan                                      brian at smarter.than.nu

No security through obscurity!  Demand full source code!
4.4BSD for the masses - http://www.freebsd.org