I am in the interesting situation of being some-one who will probably
never see or use RSAref (being outside the USA) but for people to use my
code in the USA I have to know the RSAref API. I think things
would be rather wierd if I had to licence the use of the 'non-standard'
RSAref interface but never actually see the code.
Of course, for you, this makes things even more difficult. I am
knowledgable enough of the cryptography export issues that I am very wary
of making broad statements, but I hope that it will be possible for people
outside of the US to create their own libraries compatible with a published
RSAREF API. The reality is that it may not be possible under the current
political climate.
I've managed to do this in the past, I wrote my software to use my own RSA
code but implemented the interface to it so pretty much any RSA routines
could be plugged in. Then someone in the US got it going with RSAREF, and
I wrote to RSADSI asking for permission to access some of the low-level
API's, with the necessary changes being included in my code as diffs to
RSAREF. The changes were very minor, and I didn't have any problems getting
permission. This allowed me, as a non-US person, to distribute code which
could be used to create both US and non-US versions of my program.
Peter.