Current guidance on using strong cryptographic algorithms in Apache projects

[Andrew Purtell <ap...@apache.org>]

Dear Apache Legal Affairs,

At
http://www.apache.org/dev/crypto.htm
l
was, formerly, guidance to Apache PMC members on the necessary steps to
take should a contribution implementing or employing cryptographic
functions be considered for commit. It outlines necessary documentation and
procedural steps the PMC must adopt ahead of committing the code and ahead
of any release including it. However, near the top of that page is this
notice:

*
Note - the regulations covering US export control laws for encryption were
changed on June 25th 2010. This page describes the previous process. Until
an updated version has been drawn up and approved by the Apache VP Legal
Affairs, projects should check with the legal-discuss list before
proceeding.*


On the Apache HBase JIRA issue HBASE-7544 (
https://issues.apache.org/jira/browse/HBASE-7544), "Transparent table/CF
encryption", the Apache HBase project is presented with a change that would
employ cryptographic functions. The proposed change does not implement
cryptographic algorithms directly, but provides a framework for their use
in the HBase product, and includes a new feature for HBase employing that
framework to encrypt data. Such encryption would be done with an algorithm
available in any Java runtime environment that is a symmetric algorithm
employing a key length in excess of 56-bits (128 bits).

I would like to engage my PMC in a discussion about possibly including the
HBASE-7544 change in an upcoming release. Before I can do that, I think we
need to clearly understand what the ramifications of such action would be.
What is the general guidance from Apache Legal Affairs to Apache project
with respect to inclusion of code employing cryptographic functions? What
procedural changes and/or new release requirements would our project need
to adopt if such code is committed?

Please be advised I have also copied this message to the Apache HBase PMC
mailing list for their information.

-- 
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

Re: Current guidance on using strong cryptographic algorithms in Apache projects

[Andrew Purtell <ap...@apache.org>]

The conclusion I will take to my PMC in the absence of an authoritative
opinion from the Foundation is that no special action is needed, and I will
refer to this thread. Thanks.


On Monday, September 30, 2013, James Carman wrote:

> I'm no lawyer, but I think you're okay if you just stick to using the
> interfaces.  The JCE was restricted for export (I believe that's been
> relaxed now too), but you're not including actual algorithms or
> anything in our code, just coding to the interfaces on which the
> algorithms are implemented.
>
> On Mon, Sep 30, 2013 at 8:35 AM, Andrew Purtell <ap...@apache.org>
> wrote:
> > James,
> >
> > Yes, the proposed contribution on HBASE-7544 only uses the crypto
> interfaces
> > of the JDK.
> >
> > The HBASE-7544 framework could be used to plug in a cryptographic
> algorithm
> > implementation directly into the HBase product, to be shipped with the
> HBase
> > product, but this is not currently contemplated.
> >
> >
> > On Mon, Sep 30, 2013 at 7:40 PM, James Carman <
> james@carmanconsulting.com>
> > wrote:
> >>
> >> Andrew,
> >>
> >> You are just merely planning on using the crypto interfaces included
> >> with the JDK, right?  You don't really care what's "behind the
> >> scenes."
> >>
> >> James
> >>
> >> On Sun, Sep 29, 2013 at 9:24 PM, Andrew Purtell <ap...@apache.org>
> >> wrote:
> >> > Dear Apache Legal Affairs,
> >> >
> >> > At
> >> > http://www.apache.org/dev/crypto.htm
> >> > l
> >> > was, formerly, guidance to Apache PMC members on the necessary steps
> to
> >> > take
> >> > should a contribution implementing or employing cryptographic
> functions
> >> > be
> >> > considered for commit. It outlines necessary documentation and
> >> > procedural
> >> > steps the PMC must adopt ahead of committing the code and ahead of any
> >> > release including it. However, near the top of that page is this
> notice:
> >> >
> >> > Note - the regulations covering US export control laws for encryption
> >> > were
> >> > changed on June 25th 2010. This page describes the previous process.
> >> > Until
> >> > an updated version has been drawn up and approved by the Apache VP
> Legal
> >> > Affairs, projects should check with the legal-discuss list before
> >> > proceeding.
> >> >
> >> >
> >> > On the Apache HBase JIRA issue HBASE-7544
> >> > (https://issues.apache.org/jira/browse/HBASE-7544), "Transparent
> >> > table/CF
> >> > encryption", the Apache HBase project is presented with a change that
> >> > would
> >> > employ cryptographic functions. The proposed change does not implement
> >> > cryptographic algorithms directly, but provides a framework for their
> >> > use in
> >> > the HBase product, and includes a new feature for HBase employing that
> >> > framework to encrypt data. Such encryption would be done with an
> >> > algorithm
> >> > available in any Java runtime environment that is a symmetric
> algorithm
> >> > employing a key length in excess of 56-bits (128 bits).
> >> >
> >> > I would like to engage my PMC in a discussion about possibly including
> >> > the
> >> > HBASE-7544 change in an upcoming release. Before I can do that, I
> think
> >> > we
> >> > need to clearly understand what the ramifications of such action would
> >> > be.
> >> > What is the general guidance from Apache Legal Affairs to Apache
> project
> >> > with respect to inclusion of code employing cryptographic functions?
> >> > What
> >> > procedural changes and/or new release requirements would our project
> >> > need to
> >> > adopt if such code is committed?
> >> >
> >> > Please be advised I have also copied this message to the Apache HBase
> >> > PMC
> >> > mailing list for their information.
> >> >
> >> > --
> >> > Best regards,
> >> >
> >> >    - Andy
> >> >
> >> > Problems worthy of attack prove their worth by hitting back. - Piet
> Hein
> >> > (via Tom White)
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> For additional commands, e-mail:



-- 
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

Re: Current guidance on using strong cryptographic algorithms in Apache projects

[James Carman <ja...@carmanconsulting.com>]

I'm no lawyer, but I think you're okay if you just stick to using the
interfaces.  The JCE was restricted for export (I believe that's been
relaxed now too), but you're not including actual algorithms or
anything in our code, just coding to the interfaces on which the
algorithms are implemented.

On Mon, Sep 30, 2013 at 8:35 AM, Andrew Purtell <ap...@apache.org> wrote:
> James,
>
> Yes, the proposed contribution on HBASE-7544 only uses the crypto interfaces
> of the JDK.
>
> The HBASE-7544 framework could be used to plug in a cryptographic algorithm
> implementation directly into the HBase product, to be shipped with the HBase
> product, but this is not currently contemplated.
>
>
> On Mon, Sep 30, 2013 at 7:40 PM, James Carman <ja...@carmanconsulting.com>
> wrote:
>>
>> Andrew,
>>
>> You are just merely planning on using the crypto interfaces included
>> with the JDK, right?  You don't really care what's "behind the
>> scenes."
>>
>> James
>>
>> On Sun, Sep 29, 2013 at 9:24 PM, Andrew Purtell <ap...@apache.org>
>> wrote:
>> > Dear Apache Legal Affairs,
>> >
>> > At
>> > http://www.apache.org/dev/crypto.htm
>> > l
>> > was, formerly, guidance to Apache PMC members on the necessary steps to
>> > take
>> > should a contribution implementing or employing cryptographic functions
>> > be
>> > considered for commit. It outlines necessary documentation and
>> > procedural
>> > steps the PMC must adopt ahead of committing the code and ahead of any
>> > release including it. However, near the top of that page is this notice:
>> >
>> > Note - the regulations covering US export control laws for encryption
>> > were
>> > changed on June 25th 2010. This page describes the previous process.
>> > Until
>> > an updated version has been drawn up and approved by the Apache VP Legal
>> > Affairs, projects should check with the legal-discuss list before
>> > proceeding.
>> >
>> >
>> > On the Apache HBase JIRA issue HBASE-7544
>> > (https://issues.apache.org/jira/browse/HBASE-7544), "Transparent
>> > table/CF
>> > encryption", the Apache HBase project is presented with a change that
>> > would
>> > employ cryptographic functions. The proposed change does not implement
>> > cryptographic algorithms directly, but provides a framework for their
>> > use in
>> > the HBase product, and includes a new feature for HBase employing that
>> > framework to encrypt data. Such encryption would be done with an
>> > algorithm
>> > available in any Java runtime environment that is a symmetric algorithm
>> > employing a key length in excess of 56-bits (128 bits).
>> >
>> > I would like to engage my PMC in a discussion about possibly including
>> > the
>> > HBASE-7544 change in an upcoming release. Before I can do that, I think
>> > we
>> > need to clearly understand what the ramifications of such action would
>> > be.
>> > What is the general guidance from Apache Legal Affairs to Apache project
>> > with respect to inclusion of code employing cryptographic functions?
>> > What
>> > procedural changes and/or new release requirements would our project
>> > need to
>> > adopt if such code is committed?
>> >
>> > Please be advised I have also copied this message to the Apache HBase
>> > PMC
>> > mailing list for their information.
>> >
>> > --
>> > Best regards,
>> >
>> >    - Andy
>> >
>> > Problems worthy of attack prove their worth by hitting back. - Piet Hein
>> > (via Tom White)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>
>
>
> --
> Best regards,
>
>    - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Current guidance on using strong cryptographic algorithms in Apache projects

[Andrew Purtell <ap...@apache.org>]

James,

Yes, the proposed contribution on HBASE-7544 only uses the crypto
interfaces of the JDK.

The HBASE-7544 framework could be used to plug in a cryptographic algorithm
implementation directly into the HBase product, to be shipped with the
HBase product, but this is not currently contemplated.


On Mon, Sep 30, 2013 at 7:40 PM, James Carman <ja...@carmanconsulting.com>wrote:

> Andrew,
>
> You are just merely planning on using the crypto interfaces included
> with the JDK, right?  You don't really care what's "behind the
> scenes."
>
> James
>
> On Sun, Sep 29, 2013 at 9:24 PM, Andrew Purtell <ap...@apache.org>
> wrote:
> > Dear Apache Legal Affairs,
> >
> > At
> > http://www.apache.org/dev/crypto.htm
> > l
> > was, formerly, guidance to Apache PMC members on the necessary steps to
> take
> > should a contribution implementing or employing cryptographic functions
> be
> > considered for commit. It outlines necessary documentation and procedural
> > steps the PMC must adopt ahead of committing the code and ahead of any
> > release including it. However, near the top of that page is this notice:
> >
> > Note - the regulations covering US export control laws for encryption
> were
> > changed on June 25th 2010. This page describes the previous process.
> Until
> > an updated version has been drawn up and approved by the Apache VP Legal
> > Affairs, projects should check with the legal-discuss list before
> > proceeding.
> >
> >
> > On the Apache HBase JIRA issue HBASE-7544
> > (https://issues.apache.org/jira/browse/HBASE-7544), "Transparent
> table/CF
> > encryption", the Apache HBase project is presented with a change that
> would
> > employ cryptographic functions. The proposed change does not implement
> > cryptographic algorithms directly, but provides a framework for their
> use in
> > the HBase product, and includes a new feature for HBase employing that
> > framework to encrypt data. Such encryption would be done with an
> algorithm
> > available in any Java runtime environment that is a symmetric algorithm
> > employing a key length in excess of 56-bits (128 bits).
> >
> > I would like to engage my PMC in a discussion about possibly including
> the
> > HBASE-7544 change in an upcoming release. Before I can do that, I think
> we
> > need to clearly understand what the ramifications of such action would
> be.
> > What is the general guidance from Apache Legal Affairs to Apache project
> > with respect to inclusion of code employing cryptographic functions? What
> > procedural changes and/or new release requirements would our project
> need to
> > adopt if such code is committed?
> >
> > Please be advised I have also copied this message to the Apache HBase PMC
> > mailing list for their information.
> >
> > --
> > Best regards,
> >
> >    - Andy
> >
> > Problems worthy of attack prove their worth by hitting back. - Piet Hein
> > (via Tom White)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>


-- 
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

Re: Current guidance on using strong cryptographic algorithms in Apache projects

[James Carman <ja...@carmanconsulting.com>]

Andrew,

You are just merely planning on using the crypto interfaces included
with the JDK, right?  You don't really care what's "behind the
scenes."

James

On Sun, Sep 29, 2013 at 9:24 PM, Andrew Purtell <ap...@apache.org> wrote:
> Dear Apache Legal Affairs,
>
> At
> http://www.apache.org/dev/crypto.htm
> l
> was, formerly, guidance to Apache PMC members on the necessary steps to take
> should a contribution implementing or employing cryptographic functions be
> considered for commit. It outlines necessary documentation and procedural
> steps the PMC must adopt ahead of committing the code and ahead of any
> release including it. However, near the top of that page is this notice:
>
> Note - the regulations covering US export control laws for encryption were
> changed on June 25th 2010. This page describes the previous process. Until
> an updated version has been drawn up and approved by the Apache VP Legal
> Affairs, projects should check with the legal-discuss list before
> proceeding.
>
>
> On the Apache HBase JIRA issue HBASE-7544
> (https://issues.apache.org/jira/browse/HBASE-7544), "Transparent table/CF
> encryption", the Apache HBase project is presented with a change that would
> employ cryptographic functions. The proposed change does not implement
> cryptographic algorithms directly, but provides a framework for their use in
> the HBase product, and includes a new feature for HBase employing that
> framework to encrypt data. Such encryption would be done with an algorithm
> available in any Java runtime environment that is a symmetric algorithm
> employing a key length in excess of 56-bits (128 bits).
>
> I would like to engage my PMC in a discussion about possibly including the
> HBASE-7544 change in an upcoming release. Before I can do that, I think we
> need to clearly understand what the ramifications of such action would be.
> What is the general guidance from Apache Legal Affairs to Apache project
> with respect to inclusion of code employing cryptographic functions? What
> procedural changes and/or new release requirements would our project need to
> adopt if such code is committed?
>
> Please be advised I have also copied this message to the Apache HBase PMC
> mailing list for their information.
>
> --
> Best regards,
>
>    - Andy
>
> Problems worthy of attack prove their worth by hitting back. - Piet Hein
> (via Tom White)

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org