[hintjens]

It's not an either-or choice. Salt's security is good but it's been a request from that team, as from others, to get security into the libzmq core. Doing it at the application level is problematic for many reasons. It's unreasonably complex, and does not play well with 0MQ sockets (many of which like PUB-SUB and PUSH-PULL are unable to do two-way negotiation).

With CurveCP you can still use TLS for key exchange itself; what CurveCP provides is a highly robust answer for the actual connection: short term keys and nonces. It's new but so is Salt's crypto algorithm, which was not built to quite the same level of paranoia as CurveCP.

We're still some time away from working code in libzmq and as much as a year or two from a crypto layer that's properly hardened. Having it in libzmq will mean it gets much more attention, which can only be good.