From: Rainer Deyke (rainerd_at_[hidden])
Date: 2020-02-27 16:07:23
On 26.02.20 23:26, degski via Boost wrote:
> On Wed, 26 Feb 2020 at 11:07, Rainer Deyke via Boost <boost_at_[hidden]>
>> On 26.02.20 16:14, degski via Boost wrote:
>>> I don't think this is a good idea. Crypto is very hard and 'generic'
>>> is not useful to amateurs (that's the intended audience for this
>>> Boost-component), imho (unless one insists on doing it wrongly). A
>>> crypto-lib should not be generic, but should be guiding and advising
>>> is not a Boost-approach to things, in general), like 'libsodium' does.
>> There are two categories of cryptography usage. In the first category,
>> one can choose the algorithm because one controls both endpoints. In
>> the second category, the algorithm is already decided by the other
>> endpoint. The guidance provided by libsodium is great for the first
>> category. The large selection of algorithms provided by Crypto++ is
>> great for the second category.
>> I like and use libsodium, but I am under no illusions that it is
>> sufficient for everybody's, or even every amateur's, cryptography needs.
> An amateur should not use that second category of lib in my view (and a
> non-amateur won't), the number of ways to f-it-up is just too many. I can
> agree that it's not sufficient for all, but whatever comes out at the other
> end, should be made up of building blocks that are libsodium like.
Looks like you missed the point of my two categories. These are not
categories of libraries, but categories of needs that users have, which
an individual library may or may not meet.
For example: Let's say I want to write a program that reads encrypted
zip files. I therefore need a library that provides an
implementation(s) of the specific algorithm(s) used to by encrypted zip
files, or I need to provide my own.
It doesn't matter for the purpose of my program that the default
ZipCrypto used by zip files is a terrible, terrible encryption algorithm
that should never be used. The file is already encrypted, the damage is
already done, and I just want to decrypt it.
Crypto++ doesn't provide a ZipCrypto implementation, but it does provide
several other algorithms that can also be used to encrypt zip files.
libsodium, on the other hand, treats encryption as a black box - it only
provides one secret-key encryption algorithm, and you have to search the
documentation thoroughly to even find out which algorithm that is.
-- Rainer Deyke (rainerd_at_[hidden])
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk