On Tue, 05 Nov 2002 13:12:27, Thomas J. Hruska wrote:
>Technically end-users should do
>the compilation of OpenSSL for their systems and companies should not
>incorporate OpenSSL into their product lines because of import and export
>regulations (legal issues just get messy in regards to cryptography
>software).
This is the reverse of the legal advice I've gotten, and I've applied for
and received export clearance for cryptographic software many times.
If you let the end user do the compilation, you need to provide crypto hooks
in your software for the end-user to hook OpenSSL into. This is very
difficult to get export clearance for because you can't assure any particular
set of operating limitations.
On the other hand, if you incorporate OpenSSL into the product directly, you
have complete control over algorithms and bit sizes and you need expose no
crypto APIs to the end user. This makes obtaining export clearance *much*
easier.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
