That was my understanding; the export control rules were hard to
understand and awkward at best if you did understand them.

Later certainly is here (18 or 19 years later!).  I consider the
transport security issue one that renders coda unsuitable for serious
use.  My IPsec kludge is not fully satisfactory, as there is no
linkage from IKE identities to coda identities, but it is workable for
now.  Unfortunately I haven't gotten around to helping, since coda is
a spare time pursuit and my intent was to be a coda user rather than a
coda hacker.

Given the current rules, are you willing to bring strong
authentication (which has always been ok) and confidentiality into
RPC2?  This is tricky; encryption doesn't give you integrity.  From
what I read in rpc2-src/secure.c, there is the concept of
encrypt/decrypt, but no expansion is allowed (leaving no room for a
message integrity code) and the encryption must work on arbitrary byte
boundaries.  I suspect a mode like ciphertext stealing would work
here, but I'm rusty on the details.
It was not apparent on reading the code how authentication is handled
(separately from encryption, it seems, but I couldn't follow it).