[Cryptography-dev] The one where we talk about crypto-ethics
Matěj Cepl
mcepl at cepl.eu
Thu Nov 20 17:31:40 CET 2014
On 20/11/14 17:18, Alex Gaynor wrote:
> * Are we qualified to do this? Some of this code, for example the PKCS#12
> KDF is straight up crypto. Other parts of it are more-or-less just parsing
> and ASN.1 handling
> * Parsing and ASN.1 handling still have serious security implications
> * Are we qualified to review this code?
> * On the flip side, we're moving a bunch of code from dangerous C to memory
> safe Python.
> * We actually write tests, which is probably not true of all of our
> backends.
My paranoid heart tells me this is wrong. Problems should be fixed in
the place where they should be fixed. It looks to me that if there is
something wrong with OpenSSL treating keys, then OpenSSL should be fixed.
Best,
Matěj
--
http://www.ceplovi.cz/matej/, Jabber: mcepl at ceplovi.cz
GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC
In the government of this Commonwealth, the legislative
department shall never exercise the executive and judicial
powers, or either of them: The executive shall never exercise the
legislative and judicial powers, or either of them: The judicial
shall never exercise the legislative and executive powers, or
either of them: to the end it may be a government of laws and not
of men.
-- John Adams in the Article XXXth of the Constitution of the
Commonwealth of Massachusetts
More information about the Cryptography-dev
mailing list