[cryptography] IETF Working Group Charter on Common Interface to Cryptographic Modules (CICM)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jun 22 08:17:08 EDT 2011


Marsh Ray <marsh at extendedsubset.com> writes:

>Right, so one of the lessons learned here was that if IETF had considered
>APIs and not just protocols those bugs in TLS would have been found long ago.

A pen-tester I know once found a (fairly serious) security hole under the
influence of (equally serious) pharmaceuticals, but I wouldn't recommend the
IETF adopting that as a design strategy, just as I'd be pretty terrified of
the result of the IETF trying to standardise a crypto API.  If you look at the
history of all the widely-used crypto APIs:

Crypto API designed by an individual or a single organisation:

CryptoAPI: A handful of guys at Microsoft
PKCS #11: Someone at RSA (I've heard different stories).
JCE: A couple of guys at Sun.
OpenSSL: Using the term "designed" very loosely :-), Eric Young and Tim Hudson.

Crypto API designed by a committee:




QED, I think.

Peter.




More information about the cryptography mailing list