couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Davis <paul.joseph.da...@gmail.com>
Subject Re: Cryptography in CouchDB
Date Wed, 19 Aug 2009 18:40:30 GMT
Damien,

Looks like legal-discuss is suggesting that we fill out the notices
[1]. The instructions [2] don't appear overly complicated but it does
appear that you're the only one with the proper authority to make the
updates to different web pages.

Paul

[1] http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200908.mbox/%3c4A8C2657.1090303@rowe-clan.net%3e
[2] http://www.apache.org/dev/crypto.html

On Tue, Aug 18, 2009 at 1:49 PM, Damien Katz<damien@apache.org> wrote:
>
> On Aug 17, 2009, at 10:16 PM, Curt Arnold wrote:
>
>>
>> On Aug 17, 2009, at 6:45 PM, Damien Katz wrote:
>>
>>> I don't think it's necessary as we aren't encrypting anything. We do use
>>> the crypto library, but only for generating random UUIDs.
>>>
>>> -Damien
>>>
>>
>> Probably should have used "suspect" or "concerned" or something more
>> speculative.  Noticing that CouchDB would not start on an Erlang runtime
>> without openssl was a bit jarring. OAuth would also seem to be have a
>> significant likelihood of incorporating encryption.  Those two facts seemed
>> to warrant a message.
>>
>> The whole export license stuff is an quagmire that I've taken pains to
>> avoid.  Definitely think that you should check with legal-discuss if you
>> have any questions.
>>
>> erlang_oauth has a module named oauth_rsa_sha1 which makes me suspect that
>> it would need an export declaration.
>>
>> The following code snippet from couch_http_oauth.erl
>>
>> consumer_lookup(Key, MethodStr) ->
>>   SignatureMethod = case MethodStr of
>>       "PLAINTEXT" -> plaintext;
>>       "HMAC-SHA1" -> hmac_sha1;
>>       %"RSA-SHA1" -> rsa_sha1;
>>       _Else -> undefined
>>
>> appears to be at aware of specific encryption method.
>>
>>
>> I also ran into this little snippet in couch_util.erl:
>>
>> %%% Purpose : Base 64 encoding and decoding.
>> %%% Copied from ssl_base_64 to avoid using the
>> %%% erlang ssl library
>>
>> If there is a required dependency on ssl elsewhere, the duplicated code
>> probably should be eliminated.  Also, the "license notice" doesn't give me
>> much confidence.
>>
>>
>> FYI: Encryption notice for Erlang ssl:
>> http://erlang.org/doc/apps/ssl/index.html
>>
>> My wild guess is that the previous CouchDB releases did not need an export
>> or cryptography notice if all they did was use the random number generator
>> from the SSL module.    erlang_oauth and couch_http_oauth seem to be aware
>> of cryptographic methods which my reading means that they require some
>> action, but exactly what I'm uncertain.
>
> I disagree. We don't encrypt anything and as far as I know neither does any
> of the Auth stuff, which just uses cryptographic strength hashes, not
> encryption itself.
>
> -Damien
>
>

Mime
View raw message