
Earlier this year I came across this page on SourceForge:

   http://alexandria.wiki.sourceforge.net/Notes+on+the+Hosting+of+Cryptographic+Software+at+SourceForge.net

And realized that this project (NewWorldOS/Objectify) would likely fall into that category.

I contacted the Software Freedom Law Center: http://www.softwarefreedom.org/about/contact/
and they directed me to these web sites:

   http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html (note: notify is mispelled)
   http://www.cdt.org/crypto/admin/000114qanda.shtml

On September 4th, 2008, I sent the the following e-mail to the addresses given on that web page:

   From:     J. Scott Edwards <qrw.software@gmail.com>
   To:       crypt@bis.doc.gov, enc@nsa.gov, web_site@bis.doc.gov
   Date:     Thu, Sep 4, 2008 at 8:43 AM
   Subject:  TSU NOTIFICATION - Encryption
	
	
   SUBMISSION TYPE: TSU
   SUBMITTED BY: J. Scott Edwards
   SUBMITTED FOR: QRW Software
   POINT OF CONTACT: J. Scott Edwards
   PHONE and/or FAX: 801-xxx-xxxx
   MANUFACTURER: N/A
   PRODUCT NAME/MODEL #: N/A
   ECCN: 5D002

   NOTIFICATION: I want to make a modification to my existing Open Source
   project: http://sourceforge.net/projects/nwos that will increase the
   security.

   Currently the project uses the standard Blowfish encryption from the
   OpenSSL (libcrypto) library and then from a 64-bit key generates a 1
   megabyte table that scrambles the encrypted data.  I want to modify it
   so that it uses the same algorithm, but instead of scrambling the data
   with a table generated from a 64-bit key, it scrambles the data with a
   randomly generated 1 megabyte table.  I spoke with someone at the
   Software Freedom Law Center http://www.softwarefreedom.org/ and he
   advised me to file with you for this modification.

   Please note that I have not written the modified code yet, the code
   that is available on the web site is still the code that generates the
   scrambling table from the 64-bit key.

   If you need more information or there are further questions please contact me.

   Thanks
     -J. Scott Edwards


First, I was expecting an auto-reply saying they had received the notification.  I did not.  

Then I expected some sort of acknowledgement that it was okay to proceed with the new
addtion to my encryption.  I was under the impression that they were going to tell me that 
it was okay for me to implement my change or if there was something else I needed to do.

When more than a month went by, I started started wondering if they had received my e-mail?
If it just a long time to process?  What was the status?  So I contacted them via this
"Contact Us" form:

   https://www.bis.doc.gov/forms/encryptioninquiry.html

After a couple of weeks after that I became concerned that I had not received any sort of
reply to my inquiry.  I finally decided to call them because I did not know what was going 
on.  I tried several of the numbers that I found on their web site and left messages on one.
I talked to someone at one number, who gave me another number.  That number said they didn't
know anything about that but they would find out and call me back.  They never did.  I later
discovered that I may have dialed the wrong number the first time, because when I called the
number again they connected me to someone who did know all about this stuff and she explained
the whole situtation to me.

Keep in mind the I AM NOT A LAWYER!  The following are the points I remember from the
conversation two days ago on the phone.  This is what I remember and it could be incorrect.
If you need to do this yourself you should get some legal help and advice!!

  1) I was originally under the impression that only projects that do or add their own
     encryption need to do the TSU NOTIFICATION.  After my conversation on Friday my
     understanding is that is wrong.   Any project that does encryption needs to send the
     TSU NOTIFICATION.  I.E. even if a project just uses OpenSSL to do encryption and does
     not add or do anything different or extra, it still needs to send a TSU NOTIFICATION.

  2) Only projects that are 100% open source are qualified for the TSU.  I.E. if you have
     a closed source project that uses OpenSSL to do encryption you, are not eligible for
     the TSU.

  3) They do NOT acknowledge the reciept of your TSU NOTIFICATION in any way.  They simply
     file it away.  She advised me to keep detailed records of having sent it, in case
     there is ever a question.

While I was on the phone she was kind enough to check to see if they had filed the notice
I sent on September 4th.  She could not find it and explained that they do have a spam
filter in place, and although it is set very "loose" it does sometimes filter out genuine
TSU NOTIFICATIONS.  I sent my notice again on October 24th.  I guess one can only hope
that it made it through.  Hence the reason I am documenting this in the project. 

And just for the record let me repeat: I AM NOT A LAWYER, do not take this as legal advice!

