httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pier Fumagalli <>
Subject Re: distributing encryption software
Date Sat, 19 Oct 2002 12:10:53 GMT
As I said before... I believe that something can be done from here in old
Europe to fix the problem.... Like distributing SSL binaries and stuff from
here... Ok, they won't be on "", but....


On 19/10/02 10:56, "Roy T. Fielding" <> wrote:

> Ryan asked for a clarification about whether or not we have the ability
> to redistribute SSL binaries for win32.
> Last year, the board hired a lawyer to give us an opinion on whether
> we can distribute encryption software, or hooks to such software.
> The exact opinion we got back is, unfortunately, not online, but it
> is essentially the same (with less detail) as the one given to Debian
> and visible at <>.  Basically,
> we have the right to distribute encryption software in source or
> executable form if we also distribute that same software as open
> source for free to the public, provided we first notify the U.S.
> authorities once per new encryption-enabled product.
> This is sufficient for Debian because they distribute the source code
> to everything in Debian within a single repository.  Note, however,
> that we do not do the same for OpenSSL.  Not only is OpenSSL not in
> our CVS, but it isn't normally distributed by us at all, and the
> authors of OpenSSL aren't likely to want us to distribute it because
> doing so pollutes the recipients rights with U.S. crypto controls
> whereas they could simply grab the same distribution from the origin
> and not be polluted.
> I think that Bill Rowe at one point requested that we seek out a
> lawyer's opinion on this specific matter, but that was not followed
> through by the board because we already know the legal aspects.
> The issue isn't legal -- it is social.  We can download a released
> version of OpenSSL, compile it, and make both available from our
> website provided we first notify the BXA as described in the Debian
> opinion above.  However, it is still preferable for our users to
> get the DLL themselves, from a distribution outside the U.S., and
> avoid having to maintain our distribution of OpenSSL up-to-date.
> I think a reasonable and defensible compromise would be to make
> it part of the win32 installation script -- to select no SSL or,
> if SSL is selected, to guide/automate the user in downloading an
> appropriate DLL from some other site.  Besides, that would allow
> the user to pick some other SSL library, such as one of the
> optimized ones available commercially that may already be
> installed on their system.  There is such a thing as being too
> concerned about "ease of installation."
> Finally, it should also be noted that the exception for Apache ONLY
> applies to non-commercial distributions.  Any commercial distribution,
> even if it is simply Apache slapped onto a CD and sold for a buck,
> remains subject to the old US export controls that everyone hates,
> and must be approved via a separate process.
> ....Roy

View raw message