I’m working for a company that builds some Python-based software.
This software gets distributed to clients globaly (that includes France and the U.S) with its dependencies embeded. These dependencies include the cryptography module.
Legal department has rightfully raised concern about crypto-related software being distributed.
However my understanding is that the cryptography module is built on top of cryptography backends (OpenSSL in my case). OpenSSL provides the low-level primitives (RSxxx/HSxxx encryption etc.) and cryptography is just a wrapper around this, not providing any encryption sofwtare itself. Is my understanding correct?
If that’s the case, this might be game changer for me as libopenssl is part of the client operating environment and is NOT being distributed with the software. However legal dept is asking for evidence, and I can’t find anything in cryptography official documentation nor in its licence that would back this claim. Any idea of how I could try to convince them?
Source: Python Questions