apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: Proposed Crypto Notification process
Date Tue, 04 Jul 2006 23:10:53 GMT
I am quite certain that the regulation is one notice per type of package
we export (product name x crypto capabilities).  What is unclear is the
meaning of the "link to sources" within that notice.  I think it is
sufficient for the link to httpd's "sources" to include a link to
OpenSSL's sources page as one example of an SSL library, since the  
source
dependency of mod_ssl on "any SSL library" is how we became 5D002
classified.  Telling BIS that httpd "includes" OpenSSL would be false.

I don't see any reason why apr-util would distribute OpenSSL in any
form -- it needs to compile against the installed SSL library (perhaps
a card) for the same reasons as httpd.  Assuming that will be the case,
apr-util's notice requirements will be the same as httpd.

I think we are going in circles, largely because the wrong questions
are being asked.  We do not distribute OpenSSL *today*.  If we *do*
decide to distribute OpenSSL, then we need to file a notice for
OpenSSL and point people to openssl.org in that notice.  Regardless,
we also have to file a notice for httpd and another for apr-util.
All of that has to wait until we have sufficient documentation in
place, namely a "/licenses/export.html" page that includes the
destination disclaimers and table of exported products/ECCN/source-link,
and then a sources page for each project that describes the contents
per version released.

....Roy

Mime
View raw message