On 6/21/2016 7:33 AM, Stanislav Malyshev wrote: >> Mcrypt is meant to be replaced anyways and OpenSSL might be too if we >> can come up with a nicer implementation that actually hides the >> underlying library (e.g. sodium). > > This is another problem. So we have OpenSSL, then we have mcrypt, then > we have another implementation like sodium... do we really expect our > users to rewrite crypto in their apps every couple of years? That would > be insane. OK, we could say "have your apps work as they worked, but use > new stuff for new things" - but you propose to remove stuff? >
Forgot to answer to this part, so here it comes. The mcrypt situation is just a legacy that we need to take care. Exposing OpenSSL was a bad idea from the very beginning if you ask me. OpenSSL is well known of being problematic long before Heartbleed and related things. Ignoring the two specifics. Yes, I expect people to rewrite there crypto every couple of years because, well, it is crypto and crypto is something that changes every couple of years. Attacks are developed further, key sizes are not sufficient anymore, and new technology makes old cryptos unsafe. Security is a topic where a language really needs to move fast if necessary and users need to be prepared to do the same if they want to provide good crypto. Way too many problems arise from ignoring that. -- Richard "Fleshgrinder" Fussenegger
signature.asc
Description: OpenPGP digital signature
