couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Curt Arnold <carn...@apache.org>
Subject Re: Cryptography in CouchDB
Date Tue, 18 Aug 2009 05:16:47 GMT

On Aug 17, 2009, at 6:45 PM, Damien Katz wrote:

> I don't think it's necessary as we aren't encrypting anything. We do  
> use the crypto library, but only for generating random UUIDs.
>
> -Damien
>

Probably should have used "suspect" or "concerned" or something more  
speculative.  Noticing that CouchDB would not start on an Erlang  
runtime without openssl was a bit jarring. OAuth would also seem to be  
have a significant likelihood of incorporating encryption.  Those two  
facts seemed to warrant a message.

The whole export license stuff is an quagmire that I've taken pains to  
avoid.  Definitely think that you should check with legal-discuss if  
you have any questions.

erlang_oauth has a module named oauth_rsa_sha1 which makes me suspect  
that it would need an export declaration.

The following code snippet from couch_http_oauth.erl

consumer_lookup(Key, MethodStr) ->
     SignatureMethod = case MethodStr of
         "PLAINTEXT" -> plaintext;
         "HMAC-SHA1" -> hmac_sha1;
         %"RSA-SHA1" -> rsa_sha1;
         _Else -> undefined

appears to be at aware of specific encryption method.


I also ran into this little snippet in couch_util.erl:

%%% Purpose : Base 64 encoding and decoding.
%%% Copied from ssl_base_64 to avoid using the
%%% erlang ssl library

If there is a required dependency on ssl elsewhere, the duplicated  
code probably should be eliminated.  Also, the "license notice"  
doesn't give me much confidence.


FYI: Encryption notice for Erlang ssl: http://erlang.org/doc/apps/ssl/index.html

My wild guess is that the previous CouchDB releases did not need an  
export or cryptography notice if all they did was use the random  
number generator from the SSL module.    erlang_oauth and  
couch_http_oauth seem to be aware of cryptographic methods which my  
reading means that they require some action, but exactly what I'm  
uncertain.

Mime
View raw message