httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: restructuring mod_ssl as an overlay
Date Thu, 08 Jun 2006 02:26:22 GMT
On Jun 7, 2006, at 2:35 PM, Ruediger Pluem wrote:
> On 06/07/2006 10:53 PM, William A. Rowe, Jr. wrote:
>> There's another gray point, without OpenSSL, mod_ssl is a noop,  
>> that is,
>> it does no crypto.  There is more crypto in mod_auth_digest,  
>> util_md5 or
>> in apr-util than there is in mod_ssl.
>
> I think this is an excellent point regarding the source. Without an  
> SSL toolkit
> like openssl mod_ssl does nothing. It is no crypto software.  
> Otherwise you could
> argue that httpd without mod_ssl is also crypto software, because  
> you can use
> mod_ssl with httpd. So separating it into a subproject would not  
> help either.

The controlled software under 5D002 includes both crypto software for  
the
purpose of information privacy (not authentication) and any software
specifically designed to use 5D002-covered software.  Any SSL library
is controlled by 5D002 and mod_ssl is specifically designed to use
an SSL library.  In contrast, httpd module hooks are not specifically
designed to use mod_ssl -- they are general-purpose.

> So provided mod_auth_digest, util_md5 or apr-util do not impose  
> further problems

One-way hash algorithms are not encryption technology.  Related, yes,
but "encryption" as it has been commonly defined is specific to
bidirectional transforms for information privacy applications.

....Roy


Mime
View raw message