At 01:46 PM 3/31/99 -0800, John Gilmore wrote:
>> The way I read it, if you are using RSA for authentication, there are no
>> export restrictions (except perhaps the awful 5 nations). You do not need
>> to get a license.
>
>I concur. The awful 5 nations aren't even embargoed, if your export
>is "publicly available", which exempts you from the EAR totally
>(section 732.2). However, if you *ask* BXA about this, they may well
>tell you that your export is illegal even if the regs plainly exempt
>it. (They did that to Hugh Daniel about an old DNSSEC prototype; see
>http://www.toad.com/dnssec/. Hugh has appealed this and we'll see
>what the result is.) Meanwhile, my suggestion is to:
>
> * Get a good export lawyer
> * Read the regs. Follow the instructions in them.
> * Export what the regs permit you to export.
> * Don't ask BXA any questions if you can help it. Rely on
> the well established principle of "rule of law".
Yes, at the President's Export Council Subcommittee on Encryption meeting
in Palo Alto a few months back, William Reinsch (Under Secretary for Export
Administration) grudgingly admitted that companies and individuals were
under no obligation to submit their wares to the BXA prior to export.
--Steve
