I've just joined the list. I hope to contribute as a developer and architect; I spent 10 years developing cryptographic products at RSA Security, among other things. I'm also responsible for the Symmetric Key Challenges RSA posted from 1996 on, which contributed to the relaxation of export regulations around 2000. Back then, ITAR placed draconian regulations on export of binaries, code, and even knowledge; and 'export' could be something as simple as a chat over beer. Things are much better now. I'm very happy with the open and transparent principles at ciphershed.org. In this kind of project, accountability creates confidence. But it also creates responsibility. ...which leads me to my first question... Have we cleared what want to do with a lawyer knowledgeable in the field? There are three main concerns I have, and one minor one. They may be nothing, but... I AM NOT A LAWYER 1. Licensing. According to Wikipedia, a company called SecurStar claims IP in at least some of the early source code. Has this been investigated? 2. Export regulations. US EAR regulations require entities exporting cryptography - even free public domain source code - to register with BXA and report exports. This may require setting up a foundation or something, to create a legal nexus. See http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status Selling compiled crypto SW for money adds in a lot more regulations, btw. The Truecrypt.ch folk should think about that. Things used be a great deal stricter (this project would have been flat out illegal prior to 2000), but I find still myself concerned (hopefully without cause) at the notion of an international team of both US and non-US citizens and residents collaborating in this manner on a crypto package. There may be *nothing* wrong, so long as, (for example) we don't have a member in China or Russia. But I'd sleep easier knowing we checked whether (for example) every git commit needed a notification to BXA (they could be automated, btw). I strongly suggest that someone on this project contact a team with similar concerns - for example, OpenSSL or OpenSSH, so we can leverage their experience, or we should talk to the EFF. I don't have strong personal contacts in those organizations, but perhaps someone else here does. A non-anonymous international team developing strong cryptographic products for general use needs to tread carefully, in today's climate. 3. Do we need to post a Warrant Canary? Do we need one for each team member? Should we add them to emails? Example at http://www.rsync.net/resources/notices/canary.txt 4. I *hate* the name FalseCrypt; and GeekCrypt isn't much better. How about WorldCrypt? Can we settle this, so we can get back to coding? Peter Trei