> > The BXA doesn't care how you get the encryption done, whether an
> > application has its own routines or calls a library, if the end
> > result is
> > cryptography, it's cryptographic software.

>
> Yes it does. There are special exemptions for open source.
>
> /r$


This is a total non-sequiter. I discussed the exemption for open source.

This paragraph was addressessing the distinction between programs that
implement cryptographic algorithms themselves and programs that get their
cryptographic algorithms from libraries (which may not be distributed with
that program). The BXA does not make a distinction. Essentially, any program
that uses (or could be made to use) OpenSSL would be subject to precisely
the same BXA rules as if it contained those same cryptographic algorithms
itself.

The OP specifically asked if it made any difference whether he shipped
OpenSSL or if it was included in the base Linux distribution itself. And the
answer is, no, it makes no difference. The software he wants to distribute
is cryptographic software if it performs (or can perform, would be expected
to perform, contains hooks intended to facilitate, etcetera) cryptographic
functions, whether or not under the hood it uses libraries that are already
there to implement the actual algorithms.

DS


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org