httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: restructuring mod_ssl as an overlay
Date Thu, 08 Jun 2006 02:26:22 GMT
On Jun 7, 2006, at 2:35 PM, Ruediger Pluem wrote:
> On 06/07/2006 10:53 PM, William A. Rowe, Jr. wrote:
>> There's another gray point, without OpenSSL, mod_ssl is a noop,  
>> that is,
>> it does no crypto.  There is more crypto in mod_auth_digest,  
>> util_md5 or
>> in apr-util than there is in mod_ssl.
> I think this is an excellent point regarding the source. Without an  
> SSL toolkit
> like openssl mod_ssl does nothing. It is no crypto software.  
> Otherwise you could
> argue that httpd without mod_ssl is also crypto software, because  
> you can use
> mod_ssl with httpd. So separating it into a subproject would not  
> help either.

The controlled software under 5D002 includes both crypto software for  
purpose of information privacy (not authentication) and any software
specifically designed to use 5D002-covered software.  Any SSL library
is controlled by 5D002 and mod_ssl is specifically designed to use
an SSL library.  In contrast, httpd module hooks are not specifically
designed to use mod_ssl -- they are general-purpose.

> So provided mod_auth_digest, util_md5 or apr-util do not impose  
> further problems

One-way hash algorithms are not encryption technology.  Related, yes,
but "encryption" as it has been commonly defined is specific to
bidirectional transforms for information privacy applications.


View raw message