On Jun 2, 2005, at 3:48 AM, Dave Paris wrote:
Greetings,
It was brought to my attention that Crypt::DES is included in the
Phalanx 100 list. While I'm flattered, I think this should be
replaced by a better symmetrical crypto module like Crypt::Rijndael.
The reasoning is simple. Crypt::DES is terribly weak and slow by
comparison. The algorithm is old and included in CPAN to allow
backwards compatibility with 3rd party cryptosystems.
By inclusion in the Phalanx 100 list, it may be inferred by those
without a cryptography background (or even merely a working knowledge
of cryptography) as a reasonble module to use for a modern
cryptosystem when it most definitely isn't.
Thoughts and comments welcome.
My understanding is that inclusion on the Phalanx 100 doesn't
constitute any sort of endorsement of the modules. It's hopefully a
statement that the module is widely used, but not a judgment on whether
it ought to be.
I would suggest that you make these reservations you expressed above
clear in the perldoc of the module. (Maybe it already it; I didn't
check.)
Beyond that, though, the Phalanx project has always stated that they
want to work with authors, not against them, so if you want to remove
your module from the project it's absolutely your prerogative.
However, perhaps I and others can convince you that there is value in
participating. (I.e., even if the module is slow and cryptographically
weak, it seems to be widely used so there is an argument for ensuring
it works as well as it can within the bounds of what it tries to do.)
-kevin
