David Steele <david@pgmasters.net> writes: > On 7/21/16 12:19 PM, Robert Haas wrote: >> On Wed, Jul 20, 2016 at 7:42 PM, Michael Paquier >> <michael.paquier@gmail.com> wrote: >>>> People have, in the past, expressed concerns about linking in >>>> pgcrypto. Apparently, in some countries, it's a legal problem.
>>> Do you have any references? I don't see that as a problem.
>> I don't have a link to previous discussion handy, but I definitely >> recall that it's been discussed. I don't think that would mean that >> libpgcrypto couldn't depend on libpgcommon, but the reverse direction >> would make libpgcrypto essentially mandatory which I don't think is a >> direction we want to go for both technical and legal reasons.
Way back when, like fifteen years ago, there absolutely were US export control restrictions on software containing crypto. I believe the US has figured out that that was silly, but I'm not sure everyplace else has.
Australia has recently enacted laws that are reminiscent of the US's defunct crypto export control laws, but they add penalties for *teaching* encryption too. Yup, you can be charged for talking about it. Of course they'll only actually USE those new powers to Stop The Terrorist Threat, they promise...
Unless recently amended, they even failed to exclude academic institutions. I haven't been following it closely because, frankly, it's too ridiculous to pay much attention to, and I don't work directly with crypto anyway. But it's far from the only such colossally ignorant and idiotic law floating around.
Despite the technical frustrations involved, we should keep crypto implementations in a separate library. I agree with Tom that one-way hashes are not a practical concern, even if the laws are probably written too poorly to draw a distinction.