www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@apache.org>
Subject Re: Current guidance on using strong cryptographic algorithms in Apache projects
Date Tue, 01 Oct 2013 02:12:08 GMT
The conclusion I will take to my PMC in the absence of an authoritative
opinion from the Foundation is that no special action is needed, and I will
refer to this thread. Thanks.


On Monday, September 30, 2013, James Carman wrote:

> I'm no lawyer, but I think you're okay if you just stick to using the
> interfaces.  The JCE was restricted for export (I believe that's been
> relaxed now too), but you're not including actual algorithms or
> anything in our code, just coding to the interfaces on which the
> algorithms are implemented.
>
> On Mon, Sep 30, 2013 at 8:35 AM, Andrew Purtell <apurtell@apache.org>
> wrote:
> > James,
> >
> > Yes, the proposed contribution on HBASE-7544 only uses the crypto
> interfaces
> > of the JDK.
> >
> > The HBASE-7544 framework could be used to plug in a cryptographic
> algorithm
> > implementation directly into the HBase product, to be shipped with the
> HBase
> > product, but this is not currently contemplated.
> >
> >
> > On Mon, Sep 30, 2013 at 7:40 PM, James Carman <
> james@carmanconsulting.com>
> > wrote:
> >>
> >> Andrew,
> >>
> >> You are just merely planning on using the crypto interfaces included
> >> with the JDK, right?  You don't really care what's "behind the
> >> scenes."
> >>
> >> James
> >>
> >> On Sun, Sep 29, 2013 at 9:24 PM, Andrew Purtell <apurtell@apache.org>
> >> wrote:
> >> > Dear Apache Legal Affairs,
> >> >
> >> > At
> >> > http://www.apache.org/dev/crypto.htm
> >> > l
> >> > was, formerly, guidance to Apache PMC members on the necessary steps
> to
> >> > take
> >> > should a contribution implementing or employing cryptographic
> functions
> >> > be
> >> > considered for commit. It outlines necessary documentation and
> >> > procedural
> >> > steps the PMC must adopt ahead of committing the code and ahead of any
> >> > release including it. However, near the top of that page is this
> notice:
> >> >
> >> > Note - the regulations covering US export control laws for encryption
> >> > were
> >> > changed on June 25th 2010. This page describes the previous process.
> >> > Until
> >> > an updated version has been drawn up and approved by the Apache VP
> Legal
> >> > Affairs, projects should check with the legal-discuss list before
> >> > proceeding.
> >> >
> >> >
> >> > On the Apache HBase JIRA issue HBASE-7544
> >> > (https://issues.apache.org/jira/browse/HBASE-7544), "Transparent
> >> > table/CF
> >> > encryption", the Apache HBase project is presented with a change that
> >> > would
> >> > employ cryptographic functions. The proposed change does not implement
> >> > cryptographic algorithms directly, but provides a framework for their
> >> > use in
> >> > the HBase product, and includes a new feature for HBase employing that
> >> > framework to encrypt data. Such encryption would be done with an
> >> > algorithm
> >> > available in any Java runtime environment that is a symmetric
> algorithm
> >> > employing a key length in excess of 56-bits (128 bits).
> >> >
> >> > I would like to engage my PMC in a discussion about possibly including
> >> > the
> >> > HBASE-7544 change in an upcoming release. Before I can do that, I
> think
> >> > we
> >> > need to clearly understand what the ramifications of such action would
> >> > be.
> >> > What is the general guidance from Apache Legal Affairs to Apache
> project
> >> > with respect to inclusion of code employing cryptographic functions?
> >> > What
> >> > procedural changes and/or new release requirements would our project
> >> > need to
> >> > adopt if such code is committed?
> >> >
> >> > Please be advised I have also copied this message to the Apache HBase
> >> > PMC
> >> > mailing list for their information.
> >> >
> >> > --
> >> > Best regards,
> >> >
> >> >    - Andy
> >> >
> >> > Problems worthy of attack prove their worth by hitting back. - Piet
> Hein
> >> > (via Tom White)
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> For additional commands, e-mail:



-- 
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

Mime
View raw message