Re: sha1, sha2 functions into core? - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: sha1, sha2 functions into core?
Date
Msg-id 503290DD.3090303@dunslane.net
Whole thread Raw
In response to Re: sha1, sha2 functions into core?  (Josh Berkus <josh@agliodbs.com>)
Responses Re: sha1, sha2 functions into core?
List pgsql-hackers
On 08/20/2012 03:10 PM, Josh Berkus wrote:
> On 8/15/12 6:48 AM, Tom Lane wrote:
>> The argument against moving crypto code into core remains the same as it
>> was, ie export regulations.  I don't see that that situation has changed
>> at all.
> Actually, I believe that it has, based on my experience getting an
> export certificate for Sun Postgres back in 2008.
>
> The US Federal government lifted restrictions on shipping well-known
> cryptographic algorithms to most countries several years ago, except to
> specific countries with embargoes (Iran, Burma, etc.).  However, *all*
> exports of software to those embargoed countries are restricted,
> cryptographic or not.
>
> The USA does require an export certificate for any
> cryptographic-supporting software which is shipped from the USA.  For
> that, however, MD5 and our support for SSL authentication already
> requires a certificate, whether we include SHA or not.  So, my personal
> non-lawyer experience is that including SHA in core or not would make no
> difference whatsoever to our export status.
>
> The above is all secondhand legal knowledge, so if it really matters to
> our decisions on what algorithms we include in Core, we should ask SFLC
> for a real opinion.  We certainly shouldn't make one based on assumptions.
>
> I think it's more significant, though, that nobody has been able to
> demonstrate that SHA hashing of passwords actually makes Postgres more
> secure.
>



I don't think US export regulations are the only issue. Some other 
countries (mostly the usual suspects) forbid the use of crypto software. 
If we build more crypto functions into the core we make it harder to use 
Postgres legally in those places.

cheers

andrew



pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: The pgrminclude problem
Next
From: Robert Haas
Date:
Subject: Re: NOT NULL constraints in foreign tables