www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Carman <ja...@carmanconsulting.com>
Subject Re: Current guidance on using strong cryptographic algorithms in Apache projects
Date Mon, 30 Sep 2013 11:40:28 GMT

You are just merely planning on using the crypto interfaces included
with the JDK, right?  You don't really care what's "behind the


On Sun, Sep 29, 2013 at 9:24 PM, Andrew Purtell <apurtell@apache.org> wrote:
> Dear Apache Legal Affairs,
> At
> http://www.apache.org/dev/crypto.htm
> l
> was, formerly, guidance to Apache PMC members on the necessary steps to take
> should a contribution implementing or employing cryptographic functions be
> considered for commit. It outlines necessary documentation and procedural
> steps the PMC must adopt ahead of committing the code and ahead of any
> release including it. However, near the top of that page is this notice:
> Note - the regulations covering US export control laws for encryption were
> changed on June 25th 2010. This page describes the previous process. Until
> an updated version has been drawn up and approved by the Apache VP Legal
> Affairs, projects should check with the legal-discuss list before
> proceeding.
> On the Apache HBase JIRA issue HBASE-7544
> (https://issues.apache.org/jira/browse/HBASE-7544), "Transparent table/CF
> encryption", the Apache HBase project is presented with a change that would
> employ cryptographic functions. The proposed change does not implement
> cryptographic algorithms directly, but provides a framework for their use in
> the HBase product, and includes a new feature for HBase employing that
> framework to encrypt data. Such encryption would be done with an algorithm
> available in any Java runtime environment that is a symmetric algorithm
> employing a key length in excess of 56-bits (128 bits).
> I would like to engage my PMC in a discussion about possibly including the
> HBASE-7544 change in an upcoming release. Before I can do that, I think we
> need to clearly understand what the ramifications of such action would be.
> What is the general guidance from Apache Legal Affairs to Apache project
> with respect to inclusion of code employing cryptographic functions? What
> procedural changes and/or new release requirements would our project need to
> adopt if such code is committed?
> Please be advised I have also copied this message to the Apache HBase PMC
> mailing list for their information.
> --
> Best regards,
>    - Andy
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message