There's one more level of complexity in re US Export compliance which this discussion has overlooked (probably because of the specific nature of the question).
IMHO, BXA rules are set up with the assumption that the software in question is being developed in a proprietary way. When they refer to "export" they are assuming a controllable "first ship". What happens when encryption algorithms are introduced to an Open Source (eg. Public) project codebase several months before the project meets its final candidate acceptance criteria? How is that project expected to pre-notify BXA? And is there a burden of on-going notification, since the code in question is arguably continuously available? EFF did some work on this question, and advises a one-time notification and instructions for BXA on how to subscribe to the appropriate project mail list to facilitate monitoring. Is this sufficient to avoid non-compliance fines? Danese Cooper -- license-discuss archive is at http://crynwr.com/cgi-bin/ezmlm-cgi?3