[tptacek]

Libraries like this are almost invariably a terrible idea: none of the more recent alternatives to OpenSSL I've seen have avoided resurrecting crypto bugs OpenSSL fixed years ago.

But: Thomas Pornin!

So, this is pretty neat. I hope lots of crypto people take a very hard look at it.

[jlgaddis]

Yeah, the general wisdom is, basically, "if you don't know what you're doing, leave the crypto to the experts".

I don't know the guy but, from what I gather, he is considered to one of these experts, yes?

(Edit: If I would have read further comments before replying, I would've found the answer to my question.)

[Tomte]

Besides being a crypto professor, he managed to guess what CRIME was about, after it was announced that some bad OpenSSL advisory was imminent, but before it came out.

Therefore the proposed bug squashing strategy of "just claim that there's a bug in XYZ and let him oracle what it is".

[tptacek]

Yep!