Subject: Re: [boost] Crypto/hashes library?
From: Andrey Semashev (andrey.semashev_at_[hidden])
Date: 2017-09-07 15:08:19
On 09/07/17 16:59, Vinnie Falco via Boost wrote:
> On Thu, Sep 7, 2017 at 2:50 AM, Richard Hodges via Boost
> <boost_at_[hidden]> wrote:
>> I think it would be reasonable to say that most people (tm) use either the
>> openssl or CryptoCpp libraries.
> I doubt either of these libraries would pass a Boost review.
They don't need to.
I think a full implementation of cryptographic algorithms in Boost,
while would be nice in theory, is not very feasible in practice. First,
it would require a group of very skillful and active developers that
keep their hand on pulse in the security and cryptography field.
Vulnerabilities need to be acted upon fast, which also means that Boost
release schedule doesn't suit very well for such a library. The
implementation has to be robust and fast to compete with other
implementations (and by fast I mean including writing assembler routines
for many algorithms). Then, preferably, the implementation would have to
pass an independent audit to gain some trust in users.
A cryptography library in Boost is very much welcome, but, at least
initially, I think, it should focus primarilly on providing proper
interface that fits in C++ ecosystem well. The bulk of the work should
be done by a third party implementation, like OpenSSL or gnutls or
libnss or whatever the native API is on a given platform. Maybe, if the
API becomes popular and the library gains momentum, it could then offer
its own implementation of some algorithms, e.g. to remove external
dependencies. Then the difficulties I mentioned can be tackled gradually