Crypto and export laws

M.-A. Lemburg mal at egenix.com
Fri Sep 25 04:50:58 EDT 2009


Austin Bingham wrote:
> I'm trying to get a handle on how python intersects with
> crypto-related export control laws in the US and elsewhere. My current
> understanding, per the PSF's wiki, is that any crypto related and
> potentially export-sensitive code is in the ssl wrapper, and that, in
> fact, this only links to the actual encryption implementation
> (presumably libssl or something.) One caveat is that windows
> installations may include the ssl implementation.
> 
> Does this effectively sum up python's exposure to export laws? On a
> technical level, does removing the ssl module from a distribution
> remove all references to encryption? Of course I'm not asking for
> actual legal advice, but can anyone think of any other part of the
> code that might run afoul of export rules? Thanks.

Here's a summary:

 * Python uses OpenSSL in the ssl module and the hashlib module.

 * hashlib falls back to its own implementations of the md5 and
   sha algorithms.

 * ssl doesn't work without OpenSSL installed on the system.

 * The Windows intaller of Python ships with the OpenSSL libs.

 * The only Python module that actually contained crypto code
   was the rotor module (implementing an enigma-style cipher),
   but that was removed a long time ago.

Depending on how close a country follows the Wassenaar
Arrangement (http://www.wassenaar.org/) OpenSSL, Python
and all other open-source software falls under the
GENERAL SOFTWARE NOTE part 2.:

"""
The Lists do not control "software" which is either:
1. ...
2. "In the public domain".
"""

If you're shipping a closed-source product that includes
OpenSSL, then you'd have to follow the rules in category 5
part 2 of the dual-use list:

http://www.wassenaar.org/publicdocuments/index_CL.html

However, some countries add some extra requirements to the
WA dual-use list, so you need check those as well.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Sep 25 2009)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/



More information about the Python-list mailing list