www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Davis <paul.joseph.da...@gmail.com>
Subject Re: Cryptography in CouchDB
Date Wed, 19 Aug 2009 18:37:09 GMT
On Wed, Aug 19, 2009 at 12:20 PM, William A. Rowe,
Jr.<wrowe@rowe-clan.net> wrote:
> Paul Davis wrote:
>>
>> There are two main spots of concern in CouchDB:
>>
>> Situation one:
>> * We have a direct dependency on the Erlang crypto module [3]
>> * The Erlang crypto module makes calls to OpenSSL
>> * The only calls we make to crypto are, sha_mac, sha, rand_bytes and
>> rand_uniform, none of which would appear to be cryptographic in
>> nature.
>
> This is not an issue.  The 'signature' characteristics, even using such
> hashes to resolve a 'crypted' password, are not subject to crypto export
> controls as I understand them, you aren't shipping Erlang, you do not
> 'cause' Erlang to expose these (Erlang has them available or it does
> not, irrespective of your use of the crypto module).
>
>> Situation two:
>> * One of our dependencies uses the Erlang module priv_key [4]
>> * priv_key is only available in the most recent versions of Erlang so
>> we've disabled compiling that part of the dependency. (we prevent our
>> dependency from compiling code that would call the priv_key module.)
>>
>> In general, the basic question is: What are the proper steps related
>> to code that makes calls into a library that may or may not be calling
>> OpenSSL? Does this constitute "providing bindings"? If this does place
>> restrictions on us, what are they and what should be done about them?
>
> If used for "signatures" this is not an issue; however you are stepping
> closer and closer to the line, and it might be a good idea to file now,
> anyways.  You need to follow the crypto dev policy upon initially committing
> this code if used for "encryption", irrespective of "releases", irrespective
> of "enabling" it by default.  See http://www.apache.org/dev/crypto.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

William,

Thanks for the clarification. I'll start the ball rolling on our end
to get this done so we can just not worry about it.

Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message