couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Damien Katz <dam...@apache.org>
Subject Re: Cryptography in CouchDB
Date Tue, 18 Aug 2009 17:49:12 GMT

On Aug 17, 2009, at 10:16 PM, Curt Arnold wrote:

>
> On Aug 17, 2009, at 6:45 PM, Damien Katz wrote:
>
>> I don't think it's necessary as we aren't encrypting anything. We  
>> do use the crypto library, but only for generating random UUIDs.
>>
>> -Damien
>>
>
> Probably should have used "suspect" or "concerned" or something more  
> speculative.  Noticing that CouchDB would not start on an Erlang  
> runtime without openssl was a bit jarring. OAuth would also seem to  
> be have a significant likelihood of incorporating encryption.  Those  
> two facts seemed to warrant a message.
>
> The whole export license stuff is an quagmire that I've taken pains  
> to avoid.  Definitely think that you should check with legal-discuss  
> if you have any questions.
>
> erlang_oauth has a module named oauth_rsa_sha1 which makes me  
> suspect that it would need an export declaration.
>
> The following code snippet from couch_http_oauth.erl
>
> consumer_lookup(Key, MethodStr) ->
>    SignatureMethod = case MethodStr of
>        "PLAINTEXT" -> plaintext;
>        "HMAC-SHA1" -> hmac_sha1;
>        %"RSA-SHA1" -> rsa_sha1;
>        _Else -> undefined
>
> appears to be at aware of specific encryption method.
>
>
> I also ran into this little snippet in couch_util.erl:
>
> %%% Purpose : Base 64 encoding and decoding.
> %%% Copied from ssl_base_64 to avoid using the
> %%% erlang ssl library
>
> If there is a required dependency on ssl elsewhere, the duplicated  
> code probably should be eliminated.  Also, the "license notice"  
> doesn't give me much confidence.
>
>
> FYI: Encryption notice for Erlang ssl: http://erlang.org/doc/apps/ssl/index.html
>
> My wild guess is that the previous CouchDB releases did not need an  
> export or cryptography notice if all they did was use the random  
> number generator from the SSL module.    erlang_oauth and  
> couch_http_oauth seem to be aware of cryptographic methods which my  
> reading means that they require some action, but exactly what I'm  
> uncertain.

I disagree. We don't encrypt anything and as far as I know neither  
does any of the Auth stuff, which just uses cryptographic strength  
hashes, not encryption itself.

-Damien


Mime
View raw message