[bananapub]

> Regarding source code, federal courts told the government it couldn't restrict the publishing of strong cryptography, which it considered a munition.

?

you mean after Phil Zimmerman spent years in court, and then published a physical book of the source code?

and the US government then sucessfully restricted export of actual software with above 56-bit keys for years[1]? to the extent that Debian and OpenBSD did all their opensource crypto work outside the US to avoid trouble?

and they still explicitly ban export to "rogue states" and "terrorist organisations" in 2022[2]?

things have improved since the 90s but it's still not unencumbered by the US government and the changes mostly happened to make US tech companies more competitive, not due to a desire to free anyone's speech.

[1]: https://en.wikipedia.org/wiki/Export_of_cryptography_from_th... [2]: https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...

[DennisP]

Bernstein vs US ruled that source code is protected speech, and struck down the export prohibition on strong cryptography.

https://en.wikipedia.org/wiki/Bernstein_v._United_States

From your link: "the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required."

[aYsY4dDQ2NrcNzA]

There definitely still exist some US restrictions.

https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...

[DennisP]

Yes, that's the same link as above. Some restrictions:

> Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license.

However:

> the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.

So you're free to publish open source cryptographic software on the internet, you just have to let them know you're doing it. Bernstein vs US is the reason for that.

[dcow]

Another interesting note is that encryption software used for the purpose of authentication and credential management is also exempt even if it's not open source. Otherwise most every app on the market would have to go through this process because of login flows.