On Jun 7, 2006, at 2:35 PM, Ruediger Pluem wrote:
On 06/07/2006 10:53 PM, William A. Rowe, Jr. wrote:
There's another gray point, without OpenSSL, mod_ssl is a noop,
that is,
it does no crypto. There is more crypto in mod_auth_digest,
util_md5 or
in apr-util than there is in mod_ssl.
I think this is an excellent point regarding the source. Without an
SSL toolkit
like openssl mod_ssl does nothing. It is no crypto software.
Otherwise you could
argue that httpd without mod_ssl is also crypto software, because
you can use
mod_ssl with httpd. So separating it into a subproject would not
help either.
The controlled software under 5D002 includes both crypto software for
the
purpose of information privacy (not authentication) and any software
specifically designed to use 5D002-covered software. Any SSL library
is controlled by 5D002 and mod_ssl is specifically designed to use
an SSL library. In contrast, httpd module hooks are not specifically
designed to use mod_ssl -- they are general-purpose.
So provided mod_auth_digest, util_md5 or apr-util do not impose
further problems
One-way hash algorithms are not encryption technology. Related, yes,
but "encryption" as it has been commonly defined is specific to
bidirectional transforms for information privacy applications.
....Roy
