Re: Export restrictions for Embargo-ed countries

["Marcus J. Ranum" <mjr () nfr net>]

> Sage advice.  Unfortunately, they will only be "happy" if I made a
> "best effort."  This note to firewall-wizards helps justify a "best
> effort" being made.

I'd suggest doing what some of the "big guys" do and using that
as a basis for "due diligence conforming to industry norms."
It would appear that simply having users fill out a statement
saying they understand that the software is not for export,
etc, is sufficient. Look at what netscape and pgp.com do for
their encryption codes.

I worked on this problem way back when I was at TIS and
we were trying to distribute some stuff with crypto. The
bottom line as I understood it then was that:
_enforcing_ _the_ _law_ _is_ _not_ _your_ _problem_
all you need to do is make sure that the person downloading
it understands that the stuff is controlled, and the rest of
it is their problem. What we did at the time was make the
user answer a form that acknowledged that they understood
their obligations under the law - once they did that we
E-mailed them the name of a directory on the system where
the files could be downloaded. The directory changed every
5 minutes (based on a cryptographic hash) so we believed
that nobody could download our code without having
stated that they understood their obligations under
the law. Enforcement, we left as an exercise to the
feds; we pay them enough to do that job.

mjr.