www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Carman <ja...@carmanconsulting.com>
Subject Re: Current guidance on using strong cryptographic algorithms in Apache projects
Date Mon, 30 Sep 2013 11:40:28 GMT
Andrew,

You are just merely planning on using the crypto interfaces included
with the JDK, right?  You don't really care what's "behind the
scenes."

James

On Sun, Sep 29, 2013 at 9:24 PM, Andrew Purtell <apurtell@apache.org> wrote:
> Dear Apache Legal Affairs,
>
> At
> http://www.apache.org/dev/crypto.htm
> l
> was, formerly, guidance to Apache PMC members on the necessary steps to take
> should a contribution implementing or employing cryptographic functions be
> considered for commit. It outlines necessary documentation and procedural
> steps the PMC must adopt ahead of committing the code and ahead of any
> release including it. However, near the top of that page is this notice:
>
> Note - the regulations covering US export control laws for encryption were
> changed on June 25th 2010. This page describes the previous process. Until
> an updated version has been drawn up and approved by the Apache VP Legal
> Affairs, projects should check with the legal-discuss list before
> proceeding.
>
>
> On the Apache HBase JIRA issue HBASE-7544
> (https://issues.apache.org/jira/browse/HBASE-7544), "Transparent table/CF
> encryption", the Apache HBase project is presented with a change that would
> employ cryptographic functions. The proposed change does not implement
> cryptographic algorithms directly, but provides a framework for their use in
> the HBase product, and includes a new feature for HBase employing that
> framework to encrypt data. Such encryption would be done with an algorithm
> available in any Java runtime environment that is a symmetric algorithm
> employing a key length in excess of 56-bits (128 bits).
>
> I would like to engage my PMC in a discussion about possibly including the
> HBASE-7544 change in an upcoming release. Before I can do that, I think we
> need to clearly understand what the ramifications of such action would be.
> What is the general guidance from Apache Legal Affairs to Apache project
> with respect to inclusion of code employing cryptographic functions? What
> procedural changes and/or new release requirements would our project need to
> adopt if such code is committed?
>
> Please be advised I have also copied this message to the Apache HBase PMC
> mailing list for their information.
>
> --
> Best regards,
>
>    - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message