|
|
|
|
|
|
by cr0sh
2705 days ago
|
|
|
> Another example would be Monocypher¹, my crypto library. I don't know who you are, nor what Monocypher is, beyond what you have written here, but this example should come with some caveats listed. It is generally considered "best practice" to -not- attempt to roll your own cryptographic system and use it for production purposes, unless or until it has "ran the gauntlet" of peer review - and that review may be long and harsh. Maybe your library is a wrapper around existing functionality to make that functionality simpler to use; or maybe your library has "run the gauntlet" and you are also a "well known" person in cryptographic circles, and so your work is trusted. But again - the general developer should never think to create and distribute their own cryptographic library system, and one would be cautioned that even a crypto library that is "only a wrapper" around other crypto algorithms or libraries should also be thoroughly vetted before incorporating it into your project, especially if that project is anything more than a hobby grade system. |
|
|
No longer. You would know if you spent 10 hours reviewing Monocypher (which I reckon is not a good use of your time), so it's natural that you don't.
> It is generally considered "best practice" to -not- attempt to roll your own cryptographic system
I am keenly¹, painfully² aware of what it takes to write production grade crypto. And I didn't really roll my own. I only implemented primitives everyone trusts. And I wasn't alone either. I've had lots of reviews, as well as substantial external advice and contributions. That you can confirm by scouring the GitHub repository and the Monocypher website for 15 minutes.
[1]: http://loup-vaillant.fr/articles/rolling-your-own-crypto
[2]: https://monocypher.org/quality-assurance/disclosures
---
With that all said, your overly generic advice sounds like you didn't even click the link… did you?