[1366] in WWW Security List Archive
Re: Digest Authentication
daemon@ATHENA.MIT.EDU (Allan M. Schiffman)
Sun Dec 31 21:49:28 1995
Date: Sun, 31 Dec 1995 16:53:32 -0800
To: Dan Stromberg - OAC-DCS <strombrg@hydra.acs.uci.edu>
From: ams@terisa.com (Allan M. Schiffman)
Cc: http-wg@cuckoo.hpl.hp.com, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
As you say, one can easily go astray making statements about ITAR. I'm no
expert, and worse, nobody can predict what the treatment will be in a given
situation be since such administrative rulings vary from case to case.
What I *do* know is how *I* behave, given my perhaps buggy understanding of
export regulations. Roughly speaking, if my software doesn't do encryption,
I export it without consideration of (the cryptography portion of) ITAR. If
I had code that did, say, digest authentication and nothing else, I
wouldn't hesitate to ship it overseas -- or put it on a public FTP server.
-Allan
