Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm
Precedence: bulk
Reply-To: legal-discuss@apache.org
MIME-Version: 1.0
In-Reply-To: <-3246661568130012874@gmail297201516>
References: 
 <CANpmDOcjTH2gbxYL=5GQu+c2QftMWC8Nk6tSrCXaxcavNZyfWg@mail.gmail.com>
 <-3246661568130012874@gmail297201516>
From: Andrew Purtell <apurtell@apache.org>
Date: Tue, 21 Jan 2014 10:37:33 -0800
Message-ID: 
 <CA+RK=_BpstvnbFM+ZmSCZ3uZScoS-u5x5ABRQY=8CM+VO-PpXQ@mail.gmail.com>
Subject: Re: Cryptography audit for Twill
To: "legal-discuss@apache.org" <legal-discuss@apache.org>
Content-Type: multipart/alternative; boundary=047d7bfcf6a292dae204f07f4fa5

--047d7bfcf6a292dae204f07f4fa5
Content-Type: text/plain; charset=ISO-8859-1

When considering adding features based on cryptography for Apache HBase I
posted a query on this mailing list and received an "IANAL" answer, which
was unfortunately unhelpful. We can forgive Twill for taking a maybe overly
conservative position given what we have here is another volunteered
personal opinion. I share that view but my opinion is worthless because I
am neither a lawyer, nor one representing the Foundation. The material on
http://www.apache.org/dev/crypto.html carries this ominous disclaimer:

"Note - the regulations covering US export control laws for encryption were
changed on June 25th 2010. This page describes the previous process. Until
an updated version has been drawn up and approved by the Apache VP Legal
Affairs, projects should check with the legal-discuss list before
proceeding."

It's fair to say at this point the Foundation does not provide effective
guidance for use of cryptographic functions, or even what that means.


On Mon, Jan 20, 2014 at 4:37 PM, Kevan Miller <kevan.miller@gmail.com>wrote:

>
>
> On Thu Jan 16 2014 at 7:59:44 PM, Andreas Neumann <anew@apache.org> wrote:
>
>> Hi,
>>
>> I am trying to complete the IP clearance for Twill and I am slightly
>> confused by the cryptography part of that (
>> https://issues.apache.org/jira/browse/TWILL-28).
>>
>> Twill does not explicitly contain cryptographic code, except that:
>>
>>    - It uses java.util.UUID.randomUUID() to generate random ids. This
>>    method uses "a cryptographically strong pseudo random number generator."
>>    Since it is part of Java, I assume that is nothing to worry about.
>>    - It uses Hadoop, which uses encryption. The only thing twill does
>>    here is store delegation tokens on HDFS and read them back.
>>
>> So is there anything to do for this? Do I need to add Twill to the export
>> list at http://www.apache.org/licenses/exports/ ? Do we need to include
>> a crypto notice in our README? It is not clear to me after reading the
>> document at http://www.apache.org/dev/crypto.html
>>
>
> How would you evaluate the following statement with regard to TWILL?
>
> PMCs considering including cryptographic functionality within their
> products or specially designing their products to use other software with
> cryptographic functionality should take the following steps *before
> placing such code on any ASF server, including commits to subversion *:
>
> My personal opinion: using java.util.UUID.randomUUID() to generate a
> unique id is not cryptographic functionality. Note: being part of Java or
> not is not necessarily relevant...
>
> I don't have enough context to offer an opinion on 'store delegation
> tokens on HDFS and read them back'. Was TWILL "specially designing their
> products to use other software with cryptographic functionality"? Answer
> that, and I think you have your answer.
>
> --kevan
>


-- 
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

--047d7bfcf6a292dae204f07f4fa5
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small">When considering adding features based =
on cryptography for Apache HBase I posted a query on this mailing list and =
received an &quot;IANAL&quot; answer, which was unfortunately unhelpful. We=
 can forgive Twill for taking a maybe overly conservative position given wh=
at we have here is another volunteered personal opinion. I share that view =
but my opinion is worthless because I am neither a lawyer, nor one represen=
ting the Foundation. The material on=A0<a href=3D"http://www.apache.org/dev=
/crypto.html">http://www.apache.org/dev/crypto.html</a> carries this ominou=
s disclaimer:</div>

<div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-seri=
f;font-size:small"><br></div><div class=3D"gmail_default"><font face=3D"ari=
al, helvetica, sans-serif">&quot;Note - the regulations covering US export =
control laws for encryption were changed on June 25th 2010. This page descr=
ibes the previous process. Until an updated version has been drawn up and a=
pproved by the Apache VP Legal Affairs, projects should check with the lega=
l-discuss list before proceeding.&quot;</font><br>

</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,san=
s-serif;font-size:small"><br></div><div class=3D"gmail_default" style=3D"fo=
nt-family:arial,helvetica,sans-serif;font-size:small">It&#39;s fair to say =
at this point the Foundation does not provide effective guidance for use of=
 cryptographic functions, or even what that means.=A0</div>

<div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-seri=
f;font-size:small"><br></div><div class=3D"gmail_extra"><br><br><div class=
=3D"gmail_quote">On Mon, Jan 20, 2014 at 4:37 PM, Kevan Miller <span dir=3D=
"ltr">&lt;<a href=3D"mailto:kevan.miller@gmail.com" target=3D"_blank">kevan=
.miller@gmail.com</a>&gt;</span> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><br><br><div>On Thu Jan 16 2014 at 7:59:44 P=
M, Andreas Neumann &lt;<a href=3D"mailto:anew@apache.org" target=3D"_blank"=
>anew@apache.org</a>&gt; wrote:</div>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
<div dir=3D"ltr">Hi,=A0<div><br></div><div>I am trying to complete the IP c=
learance for Twill and I am slightly confused by the cryptography part of t=
hat (<a href=3D"https://issues.apache.org/jira/browse/TWILL-28" target=3D"_=
blank">https://issues.apache.org/jira/browse/TWILL-28</a>).=A0</div>


<div><br></div>Twill does not explicitly contain cryptographic code, except=
 that:<br><ul><li>It uses java.util.UUID.randomUUID() to generate random id=
s. This method uses &quot;a cryptographically strong pseudo random number g=
enerator.&quot; Since it is part of Java, I assume that is nothing to worry=
 about.<br>


</li><li>It uses Hadoop, which uses encryption. The only thing twill does h=
ere is store delegation tokens on HDFS and read them back.</li></ul>So is t=
here anything to do for this? Do I need to add Twill to the export list at =
<a href=3D"http://www.apache.org/licenses/exports/" target=3D"_blank">http:=
//www.apache.org/licenses/exports/</a> ? Do we need to include a crypto not=
ice in our README? It is not clear to me after reading the document at <a h=
ref=3D"http://www.apache.org/dev/crypto.html" target=3D"_blank">http://www.=
apache.org/dev/crypto.html</a></div>


</blockquote><div><br></div><div>How would you evaluate the following state=
ment with regard to TWILL?</div><div><br></div><div><span style=3D"font-fam=
ily:Helvetica,Arial,&#39;Liberation Sans&#39;,FreeSans,sans-serif;font-size=
:15px;line-height:22.5px">PMCs considering including cryptographic function=
ality within their products or specially designing their products to use ot=
her software with cryptographic functionality should take the following ste=
ps=A0</span><strong style=3D"margin:0px;padding:0px;border:0px;outline:rgb(=
0,0,0);font-size:15px;vertical-align:baseline;font-family:Helvetica,Arial,&=
#39;Liberation Sans&#39;,FreeSans,sans-serif;line-height:22.5px">before pla=
cing such code on any ASF server,=A0<em style=3D"margin:0px;padding:0px;bor=
der:0px;outline:rgb(0,0,0);vertical-align:baseline;background-color:transpa=
rent">including commits to subversion</em>=A0</strong><span style=3D"font-f=
amily:Helvetica,Arial,&#39;Liberation Sans&#39;,FreeSans,sans-serif;font-si=
ze:15px;line-height:22.5px">:</span><br>


</div><div>=A0</div><div>My personal opinion: using=A0<span style=3D"line-h=
eight:19.799999237060547px">java.util.UUID.</span>randomUUID() to generate =
a unique id is not cryptographic functionality. Note: being part of Java or=
 not is not necessarily relevant...</div>


<div><br></div><div>I don&#39;t have enough context to offer an opinion on =
&#39;store delegation tokens on HDFS and read them back&#39;. Was TWILL &qu=
ot;<span style=3D"font-family:Helvetica,Arial,&#39;Liberation Sans&#39;,Fre=
eSans,sans-serif;font-size:15px;line-height:22.5px">specially designing the=
ir products</span><span style=3D"font-family:Helvetica,Arial,&#39;Liberatio=
n Sans&#39;,FreeSans,sans-serif;font-size:15px;line-height:22.5px">=A0</spa=
n><span style=3D"font-family:Helvetica,Arial,&#39;Liberation Sans&#39;,Free=
Sans,sans-serif;font-size:15px;line-height:22.5px">to use other software wi=
th cryptographic functionality</span>&quot;? Answer that, and I think you h=
ave your answer.</div>

<span class=3D"HOEnZb"><font color=3D"#888888">
<div><br></div><div>--kevan</div>
</font></span></blockquote></div><br><br clear=3D"all"><div><br></div>-- <b=
r><div dir=3D"ltr"><font face=3D"arial, helvetica, sans-serif">Best regards=
,<br><br> =A0 =A0- Andy<br><br>Problems worthy of attack prove their worth =
by hitting back. - Piet Hein (via Tom White)</font><br>

</div>
</div></div>

--047d7bfcf6a292dae204f07f4fa5--