[Cryptography-dev] Fernet NG or alternative simple, high-level, encrypted message module?

Paul Kehrer paul.l.kehrer at gmail.com
Sun Jun 12 23:51:26 EDT 2016 

Hi Frank, sorry about the delayed response. Replies inline.

On June 5, 2016 at 6:34:58 PM, Frank Siebenlist (frank.siebenlist at gmail.com)
wrote:

...snip...
Questions for the pyca/cryptography community:

* Any others who share the need/dream for such a high-level, simple
Fernet-style library based on jose/jwt?

There has been some conversation along these lines in
https://github.com/pyca/cryptography/issues/2900 and continuing in
https://github.com/pyca/cryptography/issues/2912

In general I'm in favor of pulling jwcrypto (or something like it) into
cryptography. The obstacles are going to be figuring out the licensing
(cryptography is Apache2/BSD dual licensed and any code contributed to it
needs to be available under those licenses), discussing what (if any) API
changes need to be made to fit in with the API design of the hazmat layer,
and general "make the code style match cryptography".

As I've stated in issue 2912 I do feel that the JW{S,E,T} implementations
belong in hazmat because the IETF specs allow bad algorithm choice. I might
be okay with exposing a specifically opinionated version (e.g. your choices
are taken away and cryptography selects a good choice) as a recipe. This
sounds like it would meet your needs, correct?


* Did we possibly miss an existing effort that meets (most of) those
requirements?

I'm not specifically familiar with any, but the world is vast. :)



* Comments? Suggestions?

Be wary of algorithmic agility. :) Fernet bakes its algorithms into the
version, so a future version can change them but it will result in a
version bump (a system DJB frequently argues for:
https://twitter.com/hashbreaker/status/601074008013037568). I personally
believe it to be a better solution than what the JOSE specs choose to
provide, but I also concede there's value in something being highly
interoperable even if it isn't the platonic ideal. :)



Thanks, Frank.

"From a security perspective, if you're connected, you're screwed." -
Daniel J. Bernstein

_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20160612/4b5b5926/attachment.html>

More information about the Cryptography-dev mailing list