On Mon, Dec 22, 2014 at 7:52 PM, Marko Rauhamaa <ma...@pacujo.net> wrote: > Chris Angelico <ros...@gmail.com>: > >> Level 0: Why implement your own crypto?!? > > Licensing concerns come to mind. > > For example, the reference implementations of MD5 [RFC1321] and SHA1 > [RFC3174] are not in the public domain.
Which would you prefer? Something with licensing restrictions, or something that's either outright buggy, completely insecure due to something you didn't notice, or maybe has an unnoticed side-channel attack that leaks your keys? While these can happen with well-known libraries like libssl, they also get patched; when Heartbleed went public, updates to the affected versions were available pretty quickly, but if you had your own implementation, someone might be leaking your keys without your knowledge and you have to fix it yourself... if you ever notice. But we're somewhat off topic now... ChrisA -- https://mail.python.org/mailman/listinfo/python-list
