> I was told that even though our program is only supporting
> limited key lengths, it can not be exported as it is linking to
> OpenSSL which has the logic to support larger key lengths and
> strong ciphers.
This is a misleading thing to say. But in general, it's true that it's very
difficult to export a product that can't provide reliable key length
limitations. This is because the form you have to fill out requires you to
disclose the algorithms and key lengths you will support. If you dynamically
link to OpenSSL, you may have no idea or control over what algorithms and
key lengths you wind up using. This makes the form impossible to fill out.
If your product includes the OpenSSL libraries, you'd likely have to build
a secure key length limitation into the version of the libraries that you
ship. If your product dynamically links to the OpenSSL libraries or permits
the user to supply his own version, you'd likely have to provide reasonable
secure key length limitations in the application.
Note that the BXA doesn't care how your code does what it does, whether it
uses OpenSSL or code you wrote yourself or whatever. They just care *what*
your code is capable of doing. Also, you can probably obtain an export
license or license exemption for nearly any combination of algorithms and
key lengths, so you won't have to weaken your export version, just exercise
more control.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
