couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan <jdkne...@gmail.com>
Subject Re: Making CouchDB crypto dependency optional
Date Mon, 18 Jan 2010 01:06:22 GMT
On Sun, Jan 17, 2010 at 4:08 PM, Chris Anderson <jchris@apache.org> wrote:

> On Sun, Jan 17, 2010 at 1:17 PM, Jonathan <jdknezek@gmail.com> wrote:
> > I've created a pure-Erlang copy of this API (that attempts to fallback to
> > the crypto library if possible) at http://gist.github.com/279085.  The
> > random stream isn't cryptographically secure of course, but it should
> work
>
> I'm +1 on this. The complications are (a) making sure the licensing is
> done correctly. (b)
> making sure the sha etc are compatible, so passwords work across
> implementations.
>

I've updated the gist to include (along with fixes thanks to said testing)
the test_sha/1 and test_sha_mac/1 functions, which will test random messages
(and keys if applicable) of length N, N - 1, ..., 0 and compare the pure
Erlang output with the crypto library output.  If you get 'ok' all is well.

As for the licensing, I'm definitely not a lawyer.  For what it's worth, the
reference implementation was published in RFC 3174, which in turn draws
mostly from NIST FIPS 180-1, which was superseded by FIPS 180-2.  According
to https://datatracker.ietf.org/ipr/858/:

> *
>
> The U.S. Government holds U.S. Patent 6,829,355 on the "Device for and
> method of
> one-way cryptographic hashing", which has been incorporated into Federal
> Information Processing Standard (FIPS) 180-2. This patent was issued on
> December 7, 2004. The National Security Agency has made U.S. Patent
> 6,829,355
> available royalty-free.
> *

FIPS 180-2 makes no mention of licensing aside from the fact that it's
subject to export control.  Hope that's at least a start...


Jonathan

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message