Thanks Neil.  I'm aware of the problem of implementation issues, in general, 
but I am new to Racket.  So, if I understand correctly, this would argue for 
using the OpenSSL Racket module for TLS.  I think that's the most sensitive 
part, in terms of C/C++ bugs and failures, since it's network facing.  


On Apr 28, 2017, at 1:37 PM, Neil Van Dyke wrote:

> I always look at tonyg's work first.
> Aside: I try to keep uses of third-party crypto code as simple and minimal as 
> possible.  We know crypto implementations are complex, and defect-prone.  And 
> any party in the chain of the software architecture or provenance can 
> introduce a vulnerability (e.g., Debian breaking SSL when they were only 
> supposed to be compiling and packaging upstream code).  One thing I've done 
> in the past, when appropriate, is to isolate crypto libraries to separate 
> processes, and use variations on Racket `system` to call them.  This at least 
> keeps C/C++ bugs from being able to exploit or corrupt anything in the Racket 
> process, and also usually makes any failures in the running C/C++ code 
> short-lived
> James wrote on 04/28/2017 01:13 PM:
>> I am researching options for a major project which needs various 
>> cryptography functions.  We want to implement TLS with ourselves as the only 
>> certificate authority, establish a web of trust, and also encrypt and sign 
>> individual files.  I see that there is an OpenSSL module in Racket so that's 
>> an option.  I thought I saw an NaCl module a while back but now I can't find 
>> it. Maybe I'm mistaken.  What I did find was two different projects on 
>> Github which provide language bindings for Racket to libsodium.  Neither 
>> have much documentation so I am wondering if they are ready for a major 
>> project and if so, which one should I use?
>> They are:
>> I also see references to another one called natrium but there are only 
>> broken links.
>> James

You received this message because you are subscribed to the Google Groups 
"Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
For more options, visit

Reply via email to