Re: Crypto

On the subject of crypto law - the laws have relaxed significantly in
the last decade to the point where it is now generally safe to export
symmetric encryption up to 128 bits (example: AES), and assymetric
encryption up to 1024 bits (example: RSA). Many countries still require
some sort of license, though, which takes the form of a formal request
"may I export this?" "yes". As a "for example", I received approval from
our company lawyers to re-export the Java runtime with a program we have
which uses exactly 128 bit symmetric and 1024 bit assymetric to all
countries except embargoed countries. Since it makes no sense to do
business in embargoed countries anyways, there is no point in asking at all.

For free / open source software in general, the US has explicit
exemptions for freely available software on the Internet, for the most
part because it is impossible for them to control it. In this situation,
PostgreSQL has a lot more freedom than, say, Oracle, to distribute
crypto. As a for example, Firefox includes crypto to support SSL and
certificate checking. Now, many countries also have *import*
restrictions, so while it's safe to freely export Firefox from the
United States over the Internet, in some countries, it is *illegal* for
their own citizens to encrypt their data beyond a certain level. If such
rules are enforced (I think Australia even had such a rule for a time),
then it would be the citizen doing the import that is affected. At
present, I wonder about the status of such things in China. While in
China, they didn't prevent me from using my high encryption strength VPN
software to access work - was I breaking the law by "importing" the
technology and using it? I don't know, and I didn't really think much
about it at the time.

All this being said - laws change all the time, and the number of
countries involved in the equation each which may or may not have rules
that apply to PostgreSQL at various times, that I still agree with
Andrew - to go from no-crypto to crypto is a huge change that MAY result
in downstream consequences which would adversely effect the success of
PostgreSQL, or may even end up with some PostgreSQL representative in
the chain defending themselves in a court room.

I think it would be best to leave crypto *outside* of core, but make it
an extremely easy to add plugin with "download at your own risk - if you
are unsure whether you are allowed to import crypto into your country,
you are responsible for seeking your own legal counsel."

Java did this with their main software being generally exportable, and
their "unlimited strength" crypto libraries requiring a separate
download with appropriate warnings to keep Sun happy that they would not
be held legally responsible if somebody did misuse the software.

I work for a telecommunications company which requires crypto in most
software components, so this stuff is taken very seriously. The last
thing you want to see on television is a terrorist using an untraceable
"secure" line with your company's brand name on the front, as they lop
off the head of a reporter. There is a level of responsibility required
for such things both from a business perspective and from a ethics
perspective.

Cheers,
mark

On 09/19/2009 01:55 PM, Andrew Dunstan wrote:
>
> David Fetter wrote:
>>> As for the suggestion that we should put other crypto functions into
>>> the core, AIUI the reason not to is not to avoid problems with US
>>> Export Regulations (after all, we've shipped source tarballs with
>>> it for many years, including from US repositories), but to make it
>>> easier to use Postgres in places where use of crypto is illegal.
>>
>> To date, I have not found an example of such a place. For the record,
>> would you or anyone seeing this be so kind as to provide one, along
>> with some kind of evidence that somewhere, such a law has actually
>> been enforced?
>
> There are significant controls in a number of countries. See
> <http://rechten.uvt.nl/koops/cryptolaw/cls-sum.htm>.
>
> I am not going to do more research on this - I have better things to
> do with my time. The point has been made elsewhere that including
> general crypto in core is entirely unnecessary for any purpose we know
> of. That along with knowledge that its use is at least restricted in
> several countries should surely be argument enough.
>
> This comes up often enough that I'm almost wondering if it deserves an
> FAQ entry.
>

--
Mark Mielke<mark(at)mielke(dot)cc>