implementing an export control policy on a web site

[Joe Francis]

I am seeking information on what constitutes legal conformance to U.S.
ITAR when webserving encryption software from within the U.S.

I have read pretty much everything I can find online that looked like it
might be relavent.  Apologies if this is a FAQ that I have some how
missed.

Part of my confusion stems from the different policies implemented by
different vendors on their sites, and also by how those policies have
changed over time.  For instance, at Netscape one has to provide a
tremendous amount of personal info in order to download the domestic
version of Communicator.  Phone number is required, and there appears to
be some automated sanity checking on the phone number/address supplied.
This is a sharp contrast to the Cypherpunks Home Page
(ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html), where a simple
request not too export and an explanation of the ITAR appears to be all
that is done.  PGP has yet a different standard, directing you to the
MIT page which eventually leads to a form (at
http://bs.mit.edu:8001/pgp-form.html) that forces you to affirm your
citizenship, agree to obry ITAR and obey the RSAREF license, and state
that you will only use PGP for noncommercial use.  It then appears to do
some minimal checking of your ip name/address (it would allow me to
download from netscape.com but not from ricochet.net).

If anyone can point me at any legal analysis of these different
approaches, or has any info to offer on the matter, I'd love to hear
about it.

thanks,
Joe Francis