[mratsim]

I disagree.

To fully comply with this you would need as a library provider to fully KYC your clients so that there is a firewall between their US and non-US entities, and that travelling people don't bring out an encryption library at the same time.

It would be a operational nightmare.

[deaddodo]

Which part are you disagreeing with? I'm literally laymaning the law.

The law never covered using cryptography, it was always about exporting it. Mostly it was written around keeping military specific cryptography from entering rival powers hands, but was overbearing. So they amended it to allow commercially developed/homegrown cryptography (explicitly not developed for governmental/military use) to be distributed normally. In practice, it's still a little muddy as many of those use DoJ/DoS-funded cryptography patterns, but the government has chosen to take a fairly hands off approach on those (RSA and DSA are key examples).

You're correct that it would also be almost impossible to enforce the original wording in today's world of globalization. They also have little power to enforce it on foreign nationals, which is why a warning was usually Good Enough(TM) for American software developers.

[hughesjj]

Using is exporting though. If you made a client that had https, and a customer downloaded it in Toronto, you were breaking the law.

[deaddodo]

This is....yes, the exact point; thank you for finally getting to what everyone was saying from the outset. Now follow the conversation forward.

Re-read the first post and the last paragraph of the one you're replying to. Everything you're knee jerk contrarianizing is covered.

[tptacek]

In the time period we're discussing, I was on a team shipping a commercial (shrink-wrap!) software project that extensively used cryptography, including an export version of same. It was not a big deal; it was not an operational nightmare; in the North American market, it wasn't a thing at all, you just did whatever you wanted.