On Wed, Jan 7, 2015 at 2:40 PM, Jeffrey Goldberg <jeff...@goldmark.org> wrote: > On 2015-01-07, at 12:26 PM, Kevin <kevinsisco61...@gmail.com> wrote: > >> Any company could review it and decide if it's worth using or not. > > Hi Kevin. > > Actually that’s a part of my job within the company I work for. I’m the one > who can read some of the primary literature in cryptography. Now this makes > me unusual, not a lot of companies > our size have someone with my skills. >
And I'm betting they're Fortune 100. My point is, the company I work for does pentesting and have seen so many issues with information that people thought was "encrypted" not being "encrypted" and then leaked because it was only obfuscated with some base32/64 or w/e and maybe rotated by some value or w/e. It's kinda insane what people will do instead of using a well vetted crypto library. So I'm fearful that we'll stumble across someone using your library by finding some issue with it and the client says "well, we encrypted it" and then "well, obviously not". OTOH, people will be people. If you want to keep it available and hope that no one uses it in production and that someone reviews it *shrug*. If someone uses it vs making their own system, hopefully you're smarter than them (probably) and it'll be harder to break than w/e they might've done. And it would probably be a good learning exercise if an "expert" got back to you with issues. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
