[Python-Dev] PEP 506 secrets module
Brian Gladman
brg at gladman.plus.com
Sat Oct 17 07:14:14 EDT 2015
> On Sat, Oct 17, 2015 at 03:26:46AM +1100, Steven D'Aprano wrote:
[snip]
> But significanly, only *one* of the commenters has claimed to have
> any significant experience in crypto work, and I will quote him:
I didn't specifically claim the experience you requested in responding
to your post on comp.lang.python because I thought that this was implied
in making a response.
In fact I have 30+ years of experience in implementing cryptographic
code (much involving random numbers) so there were at least two
respondents who could have made this claim.
For the record, I consider it desirable in code involving security to
exhibit the minimum functionality neccessary to get a job done. This is
because funtionality and security very often work against each other in
building secure systems.
I hence support your conclusion that the module should offer randbelow
alone. I would oppose offering randomrange (or offering more than one
of them) since this will pretty well guarantee that, sooner or later,
someone will make a mistake in using the extra functionality and
possibly deploy an insecure application as a result.
Brian Gladman
More information about the Python-Dev
mailing list