On Thu, 07 Nov 2002 02:26:33, Thomas J. Hruska wrote:
>What if the OpenSSL DLLs are not included in the product distribution (this
>is a key area of the Win32 OpenSSL Installation Project)? Sure the "hooks"
>exist in the application, but such applications will not run without
>compiled DLLs. To download either the Win32 OpenSSL Installation Project
>or the source from openssl.org and compile it requires the user to make
>sure that they are allowed to use such cryptographic hooks in their state
>of residence.
This would make export extremely difficult. You have no control over the
algorithms and key sizes used, so you can't state what they are. For most of
the ways you would get a license, specifying this information is mandatory.
>What if the parent company of the product goes belly-up and they have
>statically linked the DLLs to their now-deceased product? At that point
>OpenSSL cannot be updated by the end-user if OpenSSL ever has
>security-oriented problems (e.g. 0.9.6d and below).
That's how commodities work. It's commodity products that qualify for the
best license exemptions. (Assuming the product isn't open source.)
>One copy of OpenSSL locally isn't enough? Shared libraries were created
>for a reason...less memory is used and better version control. Statically
>linked executables duplicate code bases and therefore use more memory. Not
>to mention the whole multiple versions of the same code floating around in
>memory issue...
This is a non-issue for OpenSSL since it hasn't committed to an API that
won't change from version to version. So while this is interesting in theory,
it has no applicability to the current, real-world usage of OpenSSL.
>>It would be interesting to know if any US based application, which
>>has export approval, does use the OpenSSL dll's.
I would imagine any such application would either be open source or require
an export license for each individual act of exporting. I could be wrong
though, but I can't think of any other way to get export clearance for such a
product.
>Sometimes I assume too many things...in this case I assumed that everyone
>in the world is basically honest (I generally give people the benefit of
>the doubt). Of course, the reality is that laws exist because not everyone
>is honest, upright, and just. If the people of the world were all honest,
>outstanding citizens, OpenSSL would not even exist...that would put us all
>out of an interesting job... :P
The most amusing part about it, to me, is that the U.S. government spent a
decade doing everything it can to stop strong cryptography from being widely
available. Now it turns around and laments the vulnerability of our
information infrastructure to a possible cyberattack. Am I the only one who
suspects a connection between these two things?
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
