I actually moved to Anguilla for the same reason -- outside the USA, I could sit in a room next to a Dutch (non-US) citizen, and I could write/publish (to the Internet, accessible to at least 50 people) an academic paper describing an algorithm. He could download it, implement it in Java, publish it, and I could look over it and give comments. Thus, complying with ITAR.<p>(This was for anonymous electronic cash, in a better system than bitcoin, invented in the 1980s; there were <i>also</i> RSA patent and Chaum patent considerations at the time, which were also not valid outside the US, and ML/etc. reasons why non-US providers were more likely to adopt it. We ended up getting fucked when a different political party got elected on the island and residence visas were pulled (we'd supported the other one), and then the e-gold federal indictment/prosecution/etc. (they were an investor). Also, living on a Caribbean island is not actually as much fun as you'd think.)
Yeah I helped verifying the scanned and OCRed pages of code at the HIP97 conference in The Netherlands. A lot of cypher punks got together there to finalize the legally exported code on paper and turn it into a new digital distribution that was put back online outside of the US.<p>Anyone else here who was at HIP97?
Even more interesting - Richard White's tattoo of the RSA algorithm back in the 1990s. It was an open question whether his arm could travel outside the US.<p><a href="http://cypherpunks.venona.com/date/1995/12/msg00332.html" rel="nofollow">http://cypherpunks.venona.com/date/1995/12/msg00332.html</a>
When Debian decided to incorporate crypto code in main (before, a "non-us" section was dedicated to that), it became necessary to declare the export. So they printed descriptions of the software and mailed it to the Department of Commerce:<p><a href="https://ftp-master.debian.org/crypto-in-main/" rel="nofollow">https://ftp-master.debian.org/crypto-in-main/</a> (with pictures of course)
The whole "publish the source code as a book" thing was really more of a publicity stunt to demonstrate how absurd the regulations were. It was inspired by an earlier case (brought by Phil Karn), in which the US government ruled that Bruce Schneier's "Applied Cryptography" book did <i>not</i> fall under the export restrictions but a disk containing the source code that was printed in the book <i>did</i>.<p>The absurdity reached its peak when some bright spark wrote a three-line implementation of the RSA algorithm as a perl script (intended to be used as an email signature) and submitted it to the appropriate US government department for classification under the export controls, who promptly declared that anyone who wanted to export it needed to obtain a licence.<p>So, people started putting it on t-shirts ("This t-shirt is a munition!"), getting it tattooed on themselves ("<i>I</i> am a munition!"), etc.<p>Of course, this was all beside the point because the source code for all this stuff was widely available on the Internet.<p>The net effect of the export restrictions was that companies like Netscape and Microsoft had to create "export" versions of their browsers that were limited to a maximum key size of 56 bits. In '98 (I think), the US authorities relented somewhat, by allowing a scheme whereby financial institutions could get a special "Global ID" SSL certificate from Verisign that allowed the web server to persuade export browsers to "step up" their encryption to 128 bits.<p>Even after the US government relaxed the restrictions (in early January 2000), it took a long time for people to upgrade their browsers. I went to work at Deutsche Bank in the summer of 2000, where I was responsible for setting up the web servers for online trading systems and I can remember having to carefully craft the SSLCipherSuite section of httpd.confs to force export browsers to step up to a key length and encryption algorithm that satisfied the regulatory requirements for protecting trading systems.<p>It wasn't just the US who had controls on crypto either. I can remember learning far more than I ever wanted to know about the Wassenaar Agreement and the UK's Open General Export Licence because somebody wanted to give Identrus smartcards to clients who were located elsewhere in Europe.<p>And then, of course, the UK introduced RIPA, which allows the police to demand that anyone who has access to an encryption key turn it over. If you refuse, you can be sent to prison.
Something I was always curious about since I first found out about this trick: Why did the book not contain some error correcting codes at the bottom of each page to simplify the scanning process? Would it have somehow lessened the legal protection of Zimmerman's free speech?
The preface from the author is a great read, better than the Wikipedia article:<p><a href="http://www.mit.edu/~prz/EN/essays/BookPreface.html" rel="nofollow">http://www.mit.edu/~prz/EN/essays/BookPreface.html</a>
Please note that the "war on cryptography" is not over. There are still export controls in most of the world (including USA and EU).<p>For an up-to-date reference see <a href="http://www.cryptolaw.org/cls-sum.htm" rel="nofollow">http://www.cryptolaw.org/cls-sum.htm</a>
Heh, I remember when PGP 2.6i became available. I ended up using it very early on, to the point of where I actually came up with a (really sketchy) translation for it.<p>This would have been late 1992 or early 1993.
Is there a list of cryptographic algorithms I cannot export / share / write for clients outside of the U.S? My guess is they are things hidden from us but I could be wrong.