[cryptography] Interesting Webcrypto question

Arshad Noor arshad.noor at strongauth.com
Sun Mar 3 17:10:06 EST 2013

On 03/03/2013 01:41 PM, Adam Back wrote:
> Dont tell me you still think you need permission to export RSA in perl to
> non-embargoed entities:

Open-source crypto that is downloadable from public-sites has a special
designation in the EAR; you only need to notify the BIS and provide the
download URL.  While I cannot confirm this, US-companies that provide
downloading capabilities - such as sourceforge.net - are required to
comply with the EAR when the FOSS has crypto in it and are expected to
restrict its distribution.

I agree that this does not prevent individuals in permitted countries
from downloading such open-source crypto and carrying it with them to
embargoed countries/individuals - but at this point, as a US citizen,
you will have broken the law.  What happens after that is up to your
lawyers and the USDOJ.

I also agree that all this seems irrelevant considering that everyone
has access to strong crypto in one form or another; but, even a stupid
law is still the law.  As a democracy, we have the ability to change
it if its important enough to us, but when bigger issues are fumbled
regularly, crypto-regulation should be the least of our problems.  Its
easier for small companies like ours to comply with it than fight it.

Arshad Noor
StrongAuth, Inc.

More information about the cryptography mailing list