On Sat, Jan 4, 2014 at 11:59 PM, ianG <i...@iang.org> wrote: > Not sure if it has been mentioned here. The Better Crypto group at > bettercrypto.org have written a (draft) paper for many of those likely > configurations for net tools. The PDF is here: > > https://bettercrypto.org/static/applied-crypto-hardening.pdf > > If you're a busy sysadm with dozens of tools to fix, this might be the guide > for you.
this is an excellent resource! i've been impressed with the collective effort and end result in this guide. also mentioned bettercrypto in a thread about better defensive application randomness on the RNG list[0]. it would be awesome to have a similar effort focused on developers. this would detail the correct way to use various cryptography libraries and frameworks in a robust manner in the various languages and platforms in use today. there is a distinct lack of accessible resources for developers deploying crypto in their applications, even for platforms with usable crypto APIs in the standard libraries / OS frameworks! best regards, 0. http://lists.bitrot.info/pipermail/rng/2014-January/thread.html """ better defensive application randomness... 3) perhaps a "best practice random" library is needed for applications. it would keep a thread-specific-storage pool, mix multiple sources into it, combine with OS entropy where available, and then finally mix and fold before use. this way, even if the OS or framework entropy is horribly broken, you've got a source that is much more resilient in application. perhaps a bettercrypto.org like effort specifically for application developers who need to be proficient users of crypto APIs (not all devs applied cryptographers ;) ideally this would cover openssl, polartls, gnutls, crypto++, cryptlib, libnss, etc. """ _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography