You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Matt Sicker <bo...@gmail.com> on 2021/04/27 17:23:26 UTC
Question about whether or not some code is applicable to
cryptographic export controls
I recently contributed CODEC-296 in
https://github.com/apache/commons-codec/pull/79 which adds Blake3, a
cryptographic hash function that also includes a PRF (pseudorandom
function), MAC (message authentication code), XOF (extensible output
function), and KDF (key derivation function). Reading through
https://infra.apache.org/crypto.html and the linked regulations, it
specifically exempts cryptographic algorithms used for signatures and
authentication. As far as I can tell, the intended purpose of this is
to track _encryption_ algorithms, though from an academic point of
view, there's a very short step from things like XOFs into symmetric
ciphers by simply XORing the output stream with the plaintext input,
and the internals of the Blake family of hash functions are
derived from the internals of the ChaCha family of stream ciphers
which would definitely qualify for addition to the list.
In Apache Commons, we already list commons-crypto, commons-compress,
and commons-openpgp as projects we publish that integrate with or
otherwise provide encryption software. Do we need to add commons-codec
to this list if Blake3 is published in the next release? Or does this
not qualify as "encryption software" until an explicit
encryption/decryption API is added?
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Question about whether or not some code is applicable to
cryptographic export controls
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
> In Apache Commons, we already list commons-crypto, commons-compress,
> and commons-openpgp as projects we publish that integrate with or
> otherwise provide encryption software. Do we need to add commons-codec
> to this list if Blake3 is published in the next release? Or does this
> not qualify as "encryption software" until an explicit
> encryption/decryption API is added?
Who knows? I certainly don’t
However, I think it probable best to err of the side of caution and assume it likely that it needs to be added to that list.
Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org