Thanks to everyone for their contributions on this topic. I sent Dr. Hipp's explanation to our legal team, and that was good enough for them. (This is a US company, for those who wondered.)
I agree with Simon that if that explanation could be added to the comment in random.c about the use of RC4, it could perhaps shortcut these legal discussions for others. Thanks again! Eric -----Original Message----- From: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite-users-boun...@mailinglists.sqlite.org] On Behalf Of Richard Hipp Sent: Tuesday, August 11, 2015 10:11 AM To: General Discussion of SQLite Database <sqlite-users at mailinglists.sqlite.org> Subject: Re: [sqlite] Lawyers, encryption, and RC4 On 8/11/15, Eric Hill <Eric.Hill at jmp.com> wrote: > > We're getting some pushback from our lawyers suggesting that SQLite's > use of > RC4 even just to generate random numbers is, in their minds, > encryption for export purposes. No. The RC4 encryption algorithm consists of three subcomponents: (1) Key management logic (2) The pseudo-random number generator (PRNG) (3) The encoder/decoder SQLite only implements (2). It omits (1) and (3). And hence, the RC4 kernel inside of SQLite cannot be used for encryption. -- D. Richard Hipp drh at sqlite.org _______________________________________________ sqlite-users mailing list sqlite-users at mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
