On Wed, Jul 14, 1999 at 10:53:40AM -0400, Thor Lancelot Simon wrote:
> On Wed, Jul 14, 1999 at 09:35:07AM -0500, Jay Maynard wrote:
> > On Wed, Jul 14, 1999 at 10:10:39AM -0400, Perry E. Metzger wrote:
> > > How about the other possibility -- U.S. people simply not working on
> > > crypto? I have already supported this in the past repeatedly. There
> > > are more than enough smart foreigners.
> > If that were the case, then it would not be legal to have crypto *in* the
> > US, at least as part of the BSD tree: it's just as illegal to import crypto
> > into the US without a license as it is to export it.
> I don't believe you.  Can you document that claim?

At least as far as the import prohibition goes, the reasoning is as follows:

Under ITAR, the International Trafficking in Arms Regulations, cryptographic
software is classed as a munition, the same as rifles and bombs and fighter
aircraft. Importation of any of the latter requires a license, just as
exporting them does. For some things, a license is assumed, and for others,
it is easily obtained. As far as I am aware, there is no blanket license for
importation of cryptographic software, and if the blanket export license
applies to importation as well, it is limited to the same (weak) standards.

I don't have any specific writings from the US Department of Commerce (which
promulgates and enforces ITAR) on the issue; this comes from a discussion
about working on PGP several years ago. I would love to be proven wrong.