Re: Digest Authentication

> What I *do* know is how *I* behave, given my perhaps buggy understanding of
> export regulations. Roughly speaking, if my software doesn't do encryption,
> I export it without consideration of (the cryptography portion of) ITAR. If
> I had code that did, say, digest authentication and nothing else, I
> wouldn't hesitate to ship it overseas -- or put it on a public FTP server.

And in doing so you may well be OK. As far as I know there have been no
prosecutions for violations of ITAR caused by shipping auth-only products
overseas. You could, after all, claim that you understood from your reading of
ITAR that they are exempt -- it's not an unreasonable reading of the prose at
all. And even if you do get in trouble the fact that others have gotten a
license may will mean that this will be all you have to do as well, so modulo
the hassle factor (which can be considerable -- ask Phil Zimmerman!) you may
still be OK.

The other factor here, however, is in what capacity you are acting. It's one
for you, acting as an individual, to  do something you could have gotten a
license for without actually getting the license. You may get fined some
amount, but you're unlikely to go to jail over something like this.

It's quite another if you're acting in some official capacity for a
corporation. You may have a fiduciary responsibility not to expose the
corporation to undue risk, which means you may be open to a stockholder or
even customer lawsuit if you don't play by the rules.


Received on Monday, 1 January 1996 23:09:30 UTC