packaging cryptography software and distributing

I'm developing a python GUI application and plan on calling external program packaged with my program to do s开发者_如何学Come encryption. I noticed from sites like OpenSSL that talk about export laws regarding cryptography software.

If I can't package binary forms of the cryptography software with my application, how can I work around this to still be able to encrypt the output of my program?

You need to pick your target audiences with care, especially when you are dancing around with ITAR -- the International Traffic in Arms Regulations. Identify the countries you can legally export your product to and then, at the very least, say that people from other countries can't download it. You may have to do more than that to stay legal in your country.

Legally, this is getting into the deep end of the pool and you will want to talk to a knowledgeable attorney about this. If you live in Finland, you can probably do whatever you like. If you live in the US, be careful. If you live in France, be very careful.

Update: Sometimes I feel old, other days I prove it. Without checking on the current ITAR handling of strong cryptography I responded with an answer that is at least 12 years out of date. Prior to 1997 exporting crypto of any sort, from/to any country, was a very dicey thing to do and carried severe legal penalties. This was especially true in France which, for a time, outlawed all non-governmental uses of crypto, even very weak 40-bit DES. Although France has loosened up a bit, they still seem to behind most other developed countries in understanding that a) their citizens have a valid right to privacy, and b) there's not much they can do to stop it in a world where 4096 bit RSA is available all over the net.

ITAR's stance on crypto changed in 96-97. Although matters have improved in general, there are still obstacles to exporting/importing crypto. Before you go too much further you should thoroughly familiarize yourself with the laws of your country regarding cryto -- you might be shocked/saddened by what you find. Even the U.S. still has some restrictions on what kind of crypto you can export to whom and in what form.

Some countries, notably France and the U.K., have had (and appear to still have in some form or other) laws that can require the supplier of the software to either escrow keys used by their customers and/or provide a backdoor into the system in case the government wants to see what you are talking about.

Bottom line: Good crypto makes governments nervous and the laws on what is legal/illegal are all over the map. Try to understand exactly what role encryption plays in your proposed product/project and determine if it's something that a user can opt in/out of based on their own country's stance on the subject.

i have often seen people rely on an external package for the cryptographic part: you can package your software without the cryptographic package, and tell your user that they have to download and install the cryptographic part from the original publisher.

this is effectively moving the responsibility for the cryptographic part from you to your user.