Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.021 X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'affected': 0.07; 'notice,': 0.07; '22,': 0.09; 'cc:addr:python-list': 0.11; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'leaks': 0.16; 'md5': 0.16; 'prefer?': 0.16; 'public,': 0.16; 'sha1': 0.16; 'well-known': 0.16; 'fix': 0.17; 'wrote:': 0.18; 'cc:addr:python.org': 0.22; 'mind.': 0.24; 'mon,': 0.24; 'versions': 0.24; 'cc:2**0': 0.24; 'header:In-Reply-To:1': 0.27; 'chris': 0.29; 'topic': 0.29; 'dec': 0.30; 'message- id:@mail.gmail.com': 0.30; 'went': 0.31; 'keys': 0.31; 'libraries': 0.31; "we're": 0.32; 'maybe': 0.34; 'knowledge': 0.35; 'something': 0.35; 'but': 0.35; 'received:google.com': 0.35; "didn't": 0.36; 'example,': 0.37; 'level': 0.37; 'implement': 0.38; 'pm,': 0.38; 'either': 0.39; 'happen': 0.63; 'due': 0.66; 'subject:Hello': 0.72; 'insecure': 0.84; 'now...': 0.84; 'yourself...': 0.84; 'subject:World': 0.91; 'to:none': 0.92 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=CMk3Kf8jfgPl0i43kNYz9ucjV3OposZOzpgDMKkEKhE=; b=vtTtSwFuRnySnRiYzv6QW2uiU6jq7bKGKZDBstwiMVqxSkkMtMe1Bm13Vf6ttH1hl7 kANPJZ8XanOPrqHJkyIE+KTwvb979qC02MIzeUhWX6vs6uNWyxD1lFCUk8ufwfLsFARw vszZtIOLXhYfrKndNWWH5J5CFQQ4izvvR1i+0CaE549lvPr35VoDpdaULboGzydNXnOe xd4AOMmRdHnZIZbwYqFJRnQDGPFAKEz0pCaAN2S2gQ6VZMkpTjlRJTsWDQu8mbXO2Yu4 JZeISeiO2QUt09W7zp4Bu/Q7/CpwIqUroCfVjkHKh3OdgCAMZnZbR2JxH1vp7Bx9XgbF HZKA== MIME-Version: 1.0 X-Received: by 10.107.7.94 with SMTP id 91mr18987167ioh.27.1419238885522; Mon, 22 Dec 2014 01:01:25 -0800 (PST) In-Reply-To: <8761d4t6b2.fsf@elektro.pacujo.net> References: <54957226$0$12975$c3e8da3$5496439d@news.astraweb.com> <54971df7$0$30820$b1db1813$ba2d9d20@news.astraweb.com> <54974ed7$0$12986$c3e8da3$5496439d@news.astraweb.com> <8761d4t6b2.fsf@elektro.pacujo.net> Date: Mon, 22 Dec 2014 20:01:25 +1100 Subject: Re: Hello World From: Chris Angelico Cc: "python-list@python.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 23 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1419238889 news.xs4all.nl 2895 [2001:888:2000:d::a6]:50642 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:82762 On Mon, Dec 22, 2014 at 7:52 PM, Marko Rauhamaa wrote: > Chris Angelico : > >> Level 0: Why implement your own crypto?!? > > Licensing concerns come to mind. > > For example, the reference implementations of MD5 [RFC1321] and SHA1 > [RFC3174] are not in the public domain. Which would you prefer? Something with licensing restrictions, or something that's either outright buggy, completely insecure due to something you didn't notice, or maybe has an unnoticed side-channel attack that leaks your keys? While these can happen with well-known libraries like libssl, they also get patched; when Heartbleed went public, updates to the affected versions were available pretty quickly, but if you had your own implementation, someone might be leaking your keys without your knowledge and you have to fix it yourself... if you ever notice. But we're somewhat off topic now... ChrisA