- From: Jeffrey Walton <noloader@gmail.com>
- Date: Fri, 25 Jul 2014 04:09:09 -0400
- To: WebCrypto Comments <public-webcrypto-comments@w3.org>
- Cc: public-webcrypto@w3.org, bugzilla@jessica.w3.org
>> the native language bindings for things like NaCl attempt to just use the >> djb-reference implementation, and just wrap that. So it is a bit >> questionable on the 'interoperability', but it at a minimum requires a >> formal definition for what format(s) are supported for these operations. > > It's true that most people use one of the high-quality open-source > implementations that Dan Bernstein or Adam Langley have produced, or > implementations derived from these (by Frank Denis, Robert Ransom, floodyberry, > CodesInChaos, etc). > > That speaks to the quality of these implementations, it doesn't imply interop > problems. "High quality" is somewhat relative and probably needs to be qualified. The libraries likely meet their cryptographic goals. However, I believe there are opportunities for improvement with respect to their implementations and software engineering process (speaking from experience after working with one of the libraries). An organization with an astute assurance or qa team will find a number of issues that range from implementation defects to governance gaps. The implementation issues include undefined behavior that's subject to removal at any time by the compiler. The governance issues include the engineering process, and static and dynamic analysis. I would not expect either of them to be present in "high quality" software. Jeff
Received on Friday, 25 July 2014 08:09:36 UTC