From: Mikhail Komarov (nemo_at_[hidden])
Date: 2020-09-04 20:13:54
Well, coming to that, that is why I propose to put into Boost.Crypto3 only proven schemes with only proven implementation techniques. Most of them, files related to them e.g. in CryptoPP, were not being changed for years.
Moreover cryptography in Boost is not only about the implementation. It is also about the architecture, the set of concepts.
Coming to âIf I were looking for a cryptographyâ¦â. You are right, the "stamp of approvalâ matter nothing in case you are looking for some complex protocol/scheme, but this is not what you would use a generic-purpose cryptography library for. This particular case makes you look for the implementation which you would be able to audit by yourself. But in other cases, bringing CryptoPP/OpenSSL or simply some random library from the Internet to the project in case of need for SHA-family hash or some block cipher is not that handy, as simply use boost::crypto3::sign<ecdsa>() or boost::crypto3::hash<sha2<256>>(), which has well known, well established implementation techniques and no complex protocols at all.
I would say in case you look for something complicated in cryptography, you donât go for general-purpose libraries. And non-general purpose libraries are often being implemented by folks with acknowledgement in very particular fields. So, questions like âWho is Mikhail Komarov?â are not valid because (yeah, the most stock argument is coming) of we would have never knew the Earth is round (for example) if we followed that principle. Like, âWho the heck is Galileo Galilei to tell us that?â. And yet it moves :) (Here it is. The most stock argument in the world. Thank you, thank you. My pleasure.)
But, you are right, this particular jurisdiction mentioning does bring too much questions. You are not the first one. Iâm already thinking to mention some other one of ours.
> On 4 Sep 2020, at 17:06, Phil Endecott via Boost <boost_at_[hidden]> wrote:
> Mikhail Komarov wrote:<nemo_at_nil.foundation>
>> Some time ago I promised to show something about cryptography library architecture and implementation for Boost
> Here's a "meta question" about the idea of having
> cryptography in Boost: do we think that the "Boost
> process" (i.e. reviews etc.) is suitable for
> cryptography, where the issues are somewhat different
> than other domains?
> If I were looking for a cryptography library, I don't
> think that Boost's emphasis on modern C++ best-practice
> and the "stamp of approval" from our review process
> would be my top priorities. Rather, I would be looking
> for a track record of securely-implemented cryptography
> coming from acknowledged and trusted domain experts.
> So if I were comparing this with other libraries, my
> first question would be "Who is Mikhail Komarov?", followed
> by "what is the Nil Foundation, and why is it registered
> in the Cayman Islands?".
> Regards, Phil.
> Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk