[asd2r23dasd]

I think the most useful parts of the document are the 'really try hard to use TLS for any comms problem' or 'try to use Amazon's key management for encryption' answers, and pointers to good libraries.

Beyond that: developers aren't normally tasked with building systems out of cryptographic primitives. Those that do are typically (hopefully!) experienced enough to pick a solid primitive.

Those who need to look-up which primitive to use need to know that the security of the final system is primarily going to pass or fail on the _composition_ of those primitives rather than the particular choices.

What would be really cool would be a document that takes common use cases and describes how best to build in the cryptographic aspects of the security. Edit: e.g. a good list of OpenSSL ciphersuites and SSL_CTX_config() blah calls for server auth and mutual auth is probably the biggest bang for buck you can get.

I don't want to come across as critical of the effort or correctness --- but I do I think people really need to hear the danger klaxon when they're doing more than just editing a TLS configuration file. Composition of primitives is really hard.

[lvh]

Usually, when I think composition of primitives I think MtE vs EtM vs M&E; but that feels like something that's covered. There's also protocol design, but that's also covered ("use TLS"). Can you give an example of the sort of composition you're talking about?

FWIW I'm more hopeful that I can make mTLS work immanently as part of the environment than everyone getting it right in their app. Less httpd more caddy, if that makes sense :)

[asd2r23dasd]

Ha yeah, composition was a bad choice of word.

Maybe an quick example off the top of my head would be: you know you need to authenticate and perhaps additionally 'encrypt' something --- for say a software update, fancy over-Bluetooth authentication scheme etc.

You need to pick: symmetric or asymmetric schemes? Auth then encrypt? What does replay of an old signature or MAC mean for your system? Key usage limitations? Key re-use? Quite a few ways you can err where the choice of e.g Ed25519 over P-256 ECDSA pales in comparison.

Or in other words: most people are trying to build a secure system, and where security is only achieved by the combination of the protocols, primitives used.

W.r.t TLS, yeah, bake in default configs as part of an environment where you can, although there'll always be plenty of people developing directly against the software API, and compatibility issues will typically play a part.

[lvh]

When I figure out how to pour that in a document I'll let you know :-D Until then it's one small bite at a time. But yeah, you're right: this is the style of audit and design work we do for clients.

General reco from your list: the answer is always symmetric unless you literally can not accomplish the same thing any other way. (And you probably can.)