I think we can put the "US company needs" aside for a moment and look at it
from the point of view of the user. The result is more or less the same.
The US export law prevents vendors (freeware, shareware or commercial) from
meeting the user's need of strong, globally interoperable crypto.
So the question for me, is what is the best attack that will get the law
changed, or allow us to get around it? The law is the real problem, not
one company's desire to make money. The fact that the only algorithm
approved for export is IPR of a particular company is sort of an ironic
twist to this debate.
I suspect the way to get the law changed, is to create public opinion which
will in turn put pressure on our legislators. The argument used thus far is
that the law is "bad for US business". I don't have the inside track on
the politics, but it seems that has had mixed results. So what are the
scenarios for public opinion given our two choices to doing 40 bit or not?
If we do 40 bit, then we're likely to see the CNN headline and S/MIME may
get a black eye. Can the politics be twisted to blame this on the US
government? Privacy is certainly an issue the public is sensitive to.
If we only do strong with no export, I expect implementations to show up
internationally that will interoperate with US implementations. Some US
implementations might escape the country too. I'm not sure where the
pressure comes from other, than documenting the lost sales.
I suspect these arguments are pretty incomplete due to my lack
understanding of all the politics, but hopefully approaching the problem of
changing the law for the sake of users around the world is a useful
alternative to the current debate.
LL