Re: [boost] Cryptography for Boost. Boost.Crypto3.

Well, coming to that, that is why I propose to put into Boost.Crypto3 only proven schemes with only proven implementation techniques. Most of them, files related to them e.g. in CryptoPP, were not being changed for years. Moreover cryptography in Boost is not only about the implementation. It is also about the architecture, the set of concepts. Coming to “If I were looking for a cryptography…”. You are right, the "stamp of approval” matter nothing in case you are looking for some complex protocol/scheme, but this is not what you would use a generic-purpose cryptography library for. This particular case makes you look for the implementation which you would be able to audit by yourself. But in other cases, bringing CryptoPP/OpenSSL or simply some random library from the Internet to the project in case of need for SHA-family hash or some block cipher is not that handy, as simply use boost::crypto3::sign<ecdsa>() or boost::crypto3::hash>(), which has well known, well established implementation techniques and no complex protocols at all. I would say in case you look for something complicated in cryptography, you don’t go for general-purpose libraries. And non-general purpose libraries are often being implemented by folks with acknowledgement in very particular fields. So, questions like “Who is Mikhail Komarov?” are not valid because (yeah, the most stock argument is coming) of we would have never knew the Earth is round (for example) if we followed that principle. Like, “Who the heck is Galileo Galilei to tell us that?”. And yet it moves :) (Here it is. The most stock argument in the world. Thank you, thank you. My pleasure.) But, you are right, this particular jurisdiction mentioning does bring too much questions. You are not the first one. I’m already thinking to mention some other one of ours. Sincerely yours, Mikhail Komarov nemo@nil.foundation

On 4 Sep 2020, at 17:06, Phil Endecott via Boost wrote:

Mikhail Komarov wrote:

...

Some time ago I promised to show something about cryptography library architecture and implementation for Boost

Here's a "meta question" about the idea of having cryptography in Boost: do we think that the "Boost process" (i.e. reviews etc.) is suitable for cryptography, where the issues are somewhat different than other domains?

If I were looking for a cryptography library, I don't think that Boost's emphasis on modern C++ best-practice and the "stamp of approval" from our review process would be my top priorities. Rather, I would be looking for a track record of securely-implemented cryptography coming from acknowledged and trusted domain experts. So if I were comparing this with other libraries, my first question would be "Who is Mikhail Komarov?", followed by "what is the Nil Foundation, and why is it registered in the Cayman Islands?".

Regards, Phil.

_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost