Incidentally, I think this is probably a dangerous course of
action. The EAR <http://www.bxa.doc.gov/supp6.htm> 7 day review
criteria explicitly state:
(iv) The software must not allow the alteration of the data
encryption mechanism and its associated key spaces by the user or
any other program
It seem that Fortify is a constructive proof that the program
in question violates this criterion. That doesn't mean it's
ineligible for CJ completely but I wouldn't want to try to get
approval for it either.
I'm sure the EAR enforcement folks are well aware of how well or poorly
various software they approve for export adhere to regulation. I'll leave it
to the individual corporations and EAR to soft this out.
The point I was trying to make is that from a practical standpoint
companies like Netscape need change nothing. Just keep their code
structured the same way and let unrelated 3rd parties "do the dirty
I think we're in violent agreement here, then.
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."