I was approached by a legal firm with the questions below about Python's crypto capabilities, from the POV of a legal review of exporting software that embeds Python. I don't have time to research the answers myself (I'm no crypto expert). If you think you can answer the questions, please send me a price quote and I'll forward it to them. They'd like the answers ASAP. --Guido van Rossum (home page: http://www.python.org/~guido/) ------- Forwarded Message

Hello Guido,

[...]

I understand Python is open source, but when open source code is integrated in a commercial product, the owner of the commercial product must include the open source code in their product analysis for U.S. export classification purposes. Although as open source, Python falls under an export control exception, this exception is lost once the code is offered in a commercial product.

I would appreciate your help in obtaining some additional technical information in order to complete my export classification analysis.

[...]

1. We have been advised the following encryption content is in Python. We are looking for additional information regarding the encryption content: a. The Rotor module, which implements a very ancient encryption algorithm based on the German Enigma. Please tell us the symmetric key length of the encryption contained within this module. Please also advise the asymmetric key exchange algorithm length. b. The wrapper module for Open SSL. Again, please tell us the symmetric key length of the encryption content contained within this module. Please also advise the asymmetric key exchange algorithm length c. The following questions apply to both the Rotor module and the wrapper module: i. can the encryption function be directly accessed, or modified, by the end user? ii. Do either of these encryption components contain an "Open Cryptographic Interface" (an interface that is not fixed and permits a third party to insert encryption functionality)

The following chart is an example of the type of information I need to submit to the U.S. government. Would you be able to provide similar information regarding the encryption component(s) included within Pyton?

EXAMPLE:

Algorithm Source Key-min Key-max Modes RC2 OpenSSL 40 128 CBC, ECB, CFB, OFB ARC4 OpenSSL 40 128 N/A (stream encryption) DES OpenSSL 40 56 CBC, ECB, CFB, OFB DESX OpenSSL 168 168 CBC 3DES-2Key OpenSSL 112 112 CBC, ECB, CFB, OFB 3DES OpenSSL 168 168 CBC, ECB, CFB, OFB Blowfish OpenSSL 128 CBC, ECB, CFB, OFB Diffie-Hellman OpenSSL 192* 16384* Key-exchange, authentication

DSA OpenSSL Digital Signature MD5 OpenSSL Integrity SHA-1 OpenSSL Integrity * No explicit limit, these appear to be the practical range of values.

[...] ------- End of Forwarded Message