[cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)
pgut001 at cs.auckland.ac.nz
Wed Jun 22 08:17:08 EDT 2011
Marsh Ray <marsh at extendedsubset.com> writes:
>Right, so one of the lessons learned here was that if IETF had considered
>APIs and not just protocols those bugs in TLS would have been found long ago.
A pen-tester I know once found a (fairly serious) security hole under the
influence of (equally serious) pharmaceuticals, but I wouldn't recommend the
IETF adopting that as a design strategy, just as I'd be pretty terrified of
the result of the IETF trying to standardise a crypto API. If you look at the
history of all the widely-used crypto APIs:
Crypto API designed by an individual or a single organisation:
CryptoAPI: A handful of guys at Microsoft
PKCS #11: Someone at RSA (I've heard different stories).
JCE: A couple of guys at Sun.
OpenSSL: Using the term "designed" very loosely :-), Eric Young and Tim Hudson.
Crypto API designed by a committee:
QED, I think.
More information about the cryptography