From: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | David Steele <david(at)pgmasters(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, David Fetter <david(at)fetter(dot)org>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Julian Markwort <julian(dot)markwort(at)uni-muenster(dot)de>, Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>, Valery Popov <v(dot)popov(at)postgrespro(dot)ru> |
Subject: | Re: Password identifiers, protocol aging and SCRAM protocol |
Date: | 2016-07-22 05:19:33 |
Message-ID: | CAMsr+YECQpkR+WARY2w5Xgn_nbd9HYG4nPtvyS8zDF12dh-PGg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 22 July 2016 at 01:31, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> David Steele <david(at)pgmasters(dot)net> writes:
> > On 7/21/16 12:19 PM, Robert Haas wrote:
> >> On Wed, Jul 20, 2016 at 7:42 PM, Michael Paquier
> >> <michael(dot)paquier(at)gmail(dot)com> wrote:
> >>>> People have, in the past, expressed concerns about linking in
> >>>> pgcrypto. Apparently, in some countries, it's a legal problem.
>
> >>> Do you have any references? I don't see that as a problem.
>
> >> I don't have a link to previous discussion handy, but I definitely
> >> recall that it's been discussed. I don't think that would mean that
> >> libpgcrypto couldn't depend on libpgcommon, but the reverse direction
> >> would make libpgcrypto essentially mandatory which I don't think is a
> >> direction we want to go for both technical and legal reasons.
>
> > I searched a few different ways and finally came up with this post from
> Tom:
> > https://www.postgresql.org/message-id/11392.1389991321@sss.pgh.pa.us
> > It's the only thing I could find, but thought it might jog something
> > loose for somebody else.
>
> Way back when, like fifteen years ago, there absolutely were US export
> control restrictions on software containing crypto. I believe the US has
> figured out that that was silly, but I'm not sure everyplace else has.
>
Australia has recently enacted laws that are reminiscent of the US's
defunct crypto export control laws, but they add penalties for *teaching*
encryption too. Yup, you can be charged for talking about it. Of course
they'll only actually USE those new powers to Stop The Terrorist Threat,
they promise...
http://www.defence.gov.au/deco/DTC.asp
Unless recently amended, they even failed to exclude academic institutions.
I haven't been following it closely because, frankly, it's too ridiculous
to pay much attention to, and I don't work directly with crypto anyway. But
it's far from the only such colossally ignorant and idiotic law floating
around.
Despite the technical frustrations involved, we should keep crypto
implementations in a separate library. I agree with Tom that one-way hashes
are not a practical concern, even if the laws are probably written too
poorly to draw a distinction.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Craig Ringer | 2016-07-22 05:24:07 | Re: Curing plpgsql's memory leaks for statement-lifespan values |
Previous Message | Amit Langote | 2016-07-22 05:10:48 | Re: Constraint merge and not valid status |