Re: [boost] Crypto/hashes library?

Le 07.09.17 à 17:08, Andrey Semashev via Boost a écrit :

On 09/07/17 16:59, Vinnie Falco via Boost wrote:

...

On Thu, Sep 7, 2017 at 2:50 AM, Richard Hodges via Boost wrote:

...

I think it would be reasonable to say that most people (tm) use either the openssl or CryptoCpp libraries.

I doubt either of these libraries would pass a Boost review.

They don't need to.

I think a full implementation of cryptographic algorithms in Boost, while would be nice in theory, is not very feasible in practice. First, it would require a group of very skillful and active developers that keep their hand on pulse in the security and cryptography field. Vulnerabilities need to be acted upon fast, which also means that Boost release schedule doesn't suit very well for such a library. The implementation has to be robust and fast to compete with other implementations (and by fast I mean including writing assembler routines for many algorithms). Then, preferably, the implementation would have to pass an independent audit to gain some trust in users.

(late reply, catching up threads) The last sentence is very important I think in crypto: why would I trust a boost implementation more than eg. OpenSSL? How to prevent attacks on the repo? (signed commit and all the like). Even in the case of eg. Boost providing a nice interface to a "serious" crypto backend, as soon as some password/private key needs to transit through this interface, then the interface should be trusted as well. Raffi