You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Chris Chabot <ch...@xs4all.nl> on 2008/05/06 19:50:51 UTC
Crypto notice required?
Below is the important part of a mail i send to the list last week. I
got no replies to it at the time, probably due to holidays and
everything, but since it might be important for doing things correctly
and in the apache way, I'm reposting it:
On May 2, 2008, at 2:52 AM, Chris Chabot wrote:
> Ps i remember we had went thru some song and dance to be able to
> include crypto in shindig (somewhere mid/end of march). The result
> was that we added a notice in our NOTICE file about the crypto
> functions:
>
> http://svn.apache.org/viewvc/incubator/shindig/trunk/NOTICE?revision=639568&view=markup
>
> In this notice it lists which cryptography actions are present in
> shindig it seems:
> The following provides more details on the included cryptographic
> software:
> Apache Shindig interfaces with the Java JCE APIs to provide digital
> signing and encryption of messages using the AES, SHA1, and HMAC-
> SHA1 standards.
> Apache Shindig interfaces with the OAuth library <http://http://code.google.com/p/oauth/
> > to provide digital signing of messages according to the OAuth
> standard.
> So should i add a bit like: "Apache Shindig's PHP code interfaces
> with PHPs mcrypt API's to provide encryption of messages using the
> AES and HMAC-SHA1 standards, and uses PHPs sha1function to provide
> digital signing" ?
Re: Crypto notice required?
Posted by Santiago Gala <sa...@gmail.com>.
El mar, 06-05-2008 a las 17:09 -0700, Brian Eaton escribió:
> Awesome, thank you. I'd ask you to show me to how to do it, but I
> don't have commit access so I can't help very much.
>
The procedure is listed here: http://www.apache.org/dev/crypto.html
Basically, unless what we have added changes the statement at:
http://www.apache.org/licenses/exports/
(designed for use with encryption library), we don't need to change
anything in the site module, or send email. Note that signing is not
included in the export notifications, only cypher (be it symmetric or
asymmetric). We need to fill in this notification because we have a
couple of Cypher functions for gadgets, but there is no need to refer to
the signing code as such.
The NOTICE we have makes the relevant difference as we add/remove cypher
related libraries. Our current version reads:
Apache Shindig interfaces with the Java JCE APIs to provide digital
signing and encryption of messages using the AES, SHA1, and
HMAC-SHA1 standards.
Apache Shindig interfaces with the OAuth library
<http://code.google.com/p/oauth/> to provide digital signing
of messages according to the OAuth standard.
I think, after talking on irc, that we should remove the reference to
the oauth library and keep the JCE, which is the library that performs
the encryption, possibly removing the "digital signing and" fragment,
and maybe the reference to SHA1 and HMAC-SHA1, as it is AES that is used
for encryption.
This unless I'm mistaken and we use any oauth encryption abilities,
which might be for tokens, etc. But in this case the NOTICE should be
probably more specific, like "...using a crypted nonce..." or whatever
cypher stuff we use tangentially. I don't think that just using a cypher
to protect tokens or nonces which carry no messaging information with
them is considered encryption, anyhow. But we should look further for
the definitions in this case.
We should now add a reference to the library that we interface against
in the PHP code, in similar terms. As we ship no cypher code directly,
but only "designed for use with" it, the notification is relatively
simple. Shipping the jre or openssl would make a difference.
If one of the code changes is enough to modify the status of the page,
say from "designed for use with" to "provides encryption" or similar,
the site page needs to be changed (the mentors have karma for it, after
graduation the PMC Chair would), and *the incubator PMC Chair* would
need to send email again.
I think this is basically the procedure
Regards
Santiago
> On Tue, May 6, 2008 at 11:18 AM, Santiago Gala <sa...@gmail.com> wrote:
> > I was planning to do it during the weekend, but got swamped. I'm
> > taking care, i actually started it.
> >
> > 2008/5/6, Brian Eaton <be...@google.com>:
> >
> >
> > > [+santiago]
> > >
> > > Sounds like a good idea. Santiago also needed to update another web
> > > page last time, and send an official notice to the US government about
> > > the change. I think this submit requires the same work.
> > >
> > > http://www.apache.org/dev/crypto.html
> > >
> > > Cheers,
> > > Brian
> > >
> > > On Tue, May 6, 2008 at 10:50 AM, Chris Chabot <ch...@xs4all.nl> wrote:
> > > > Below is the important part of a mail i send to the list last week. I got
> > > no
> > > > replies to it at the time, probably due to holidays and everything, but
> > > > since it might be important for doing things correctly and in the apache
> > > > way, I'm reposting it:
> > > >
> > > > On May 2, 2008, at 2:52 AM, Chris Chabot wrote:
> > > >
> > > >
> > > > > Ps i remember we had went thru some song and dance to be able to include
> > > > crypto in shindig (somewhere mid/end of march). The result was that we
> > > added
> > > > a notice in our NOTICE file about the crypto functions:
> > > > >
> > > > >
> > > >
> > > http://svn.apache.org/viewvc/incubator/shindig/trunk/NOTICE?revision=639568&view=markup
> > > > >
> > > > > In this notice it lists which cryptography actions are present in
> > > shindig
> > > > it seems:
> > > > > The following provides more details on the included cryptographic
> > > > software:
> > > > > Apache Shindig interfaces with the Java JCE APIs to provide digital
> > > > signing and encryption of messages using the AES, SHA1, and HMAC-SHA1
> > > > standards.
> > > > > Apache Shindig interfaces with the OAuth library
> > > > <http://http://code.google.com/p/oauth/> to provide digital signing of
> > > > messages according to the OAuth standard.
> > > > > So should i add a bit like: "Apache Shindig's PHP code interfaces with
> > > > PHPs mcrypt API's to provide encryption of messages using the AES and
> > > > HMAC-SHA1 standards, and uses PHPs sha1function to provide digital
> > > signing"
> > > > ?
> > > > >
> > > >
> > > >
> > >
> >
--
Santiago Gala
http://memojo.com/~sgala/blog/
Re: Crypto notice required?
Posted by Brian Eaton <be...@google.com>.
[+santiago]
Sounds like a good idea. Santiago also needed to update another web
page last time, and send an official notice to the US government about
the change. I think this submit requires the same work.
http://www.apache.org/dev/crypto.html
Cheers,
Brian
On Tue, May 6, 2008 at 10:50 AM, Chris Chabot <ch...@xs4all.nl> wrote:
> Below is the important part of a mail i send to the list last week. I got no
> replies to it at the time, probably due to holidays and everything, but
> since it might be important for doing things correctly and in the apache
> way, I'm reposting it:
>
> On May 2, 2008, at 2:52 AM, Chris Chabot wrote:
>
>
> > Ps i remember we had went thru some song and dance to be able to include
> crypto in shindig (somewhere mid/end of march). The result was that we added
> a notice in our NOTICE file about the crypto functions:
> >
> >
> http://svn.apache.org/viewvc/incubator/shindig/trunk/NOTICE?revision=639568&view=markup
> >
> > In this notice it lists which cryptography actions are present in shindig
> it seems:
> > The following provides more details on the included cryptographic
> software:
> > Apache Shindig interfaces with the Java JCE APIs to provide digital
> signing and encryption of messages using the AES, SHA1, and HMAC-SHA1
> standards.
> > Apache Shindig interfaces with the OAuth library
> <http://http://code.google.com/p/oauth/> to provide digital signing of
> messages according to the OAuth standard.
> > So should i add a bit like: "Apache Shindig's PHP code interfaces with
> PHPs mcrypt API's to provide encryption of messages using the AES and
> HMAC-SHA1 standards, and uses PHPs sha1function to provide digital signing"
> ?
> >
>
>