Is there an Encryption Distribution FAQ/HOWTO?

hardaker asks: "I've wanted to distribute some encryption software for some time now, but currently all I support is authentication without encryption solely because I haven't figured out how to get around the U.S. exportation laws. Since I'm currently only using DES, I know its possible to distribute my stuff, but I must write someone? I think? I'd love to support 3DES as well, but then I need to set up a distribution center that asks all those silly useless questions? I'm amazed that there is no HOWTO or FAQ on this subject (which would have to talk about all the various countries laws, sigh...) Does anyone have any starting pointers? " I've been covering encryption quite a bit in Ask Slashdot, and something like this strikes me as being useful. Would be nice if it did existed. Can any of you shine more light on this subject?

Hard from US

[bluGill]

If you put any encryption on the internet and you are a US citician be prepared to prove to the goverment that when it got out it wasn't your doing. I'd suggest asking whoever currently has forms for distributing pgp (mit I think as them) to distribute your app.

It is illegal to even have function calls that someone can replave to add encryption. That is you can't make it obvious where your encryption fit, and distribute it without encryption.

One way to get around the above: external filters, and give an example filter of how you can prevent job blow from loging in unless finger is enabled on his system. (a stupid filter, but it is only an example for someone who wants to filter. That an intellegent person could write encryption there is none of your buisness, that isn't the intended use. Show that your US source code uses different calls (which are not in theinternational version) to do encryption.

Or you can do what pgp did: publish a book with your course code and how it works. call it something like "Implmenting encryption in your programs" which contains the entire code in an appendix. The Us supreme court has held that your book is now protected speech and can be exported. There are fonts easially comptuer readable that are good for the srouce code secion. (Make sure that you have many comments so that you can argue in court that this is educational)

Re:usually..

[hardaker]

Well, thats certainly what a lot of other sites seem to be doing... Most of them have a simple form to fill out before you can download it, but I don't know 1) if they log that inforamation (IP address and answers) and 2) if they additionally look up the CIDR block to determine where its really coming from (since I'm in the US, I'm not sure if you can still get to the page from outside the US).

The software is mirrored in a few places already outside the US.

I think you have do to a bit more than just "whack it up with a disclaimer".

Re:I'm interested too...

[hardaker]

Interesting idea (putting in a fake function of the same name), but somehow I don't think it would fly in court very well...

Thats the really annoying thing: Why do they not even allow function calls to be put in place where the encryption would be done? That seems outragiously silly to me...

usually..

[Zurk]

if youre in the US you dont need to bother about restrictions. just whack it up with a disclaimer saying only us citizens can d/l it. someone outside will mirror it if its worth anything.