[Esapi-user] Call for review of crypto code
Boberski, Michael [USA]
boberski_michael at bah.com
Fri Apr 30 08:29:54 EDT 2010
I do have one general comment that's basically just a reiteration of previous proposals to basically further wrap the crypto, it occurred to me again yesterday as I was reviewing existing documentation and working on consolidating and extending it in http://code.google.com/p/owasp-esapi-java/wiki/Welcome , if you look inside the ESAPI for Java distribution in " \ESAPI-2.0-rc6\documentation", the amount of documentation for Encryptor is much more than for any other control. (1)Other ESAPI controls aren't as hard to use, (except maybe the WAF which is a separate thread), and (2)none create proprietary (non-standards-based) outputs, for Encoders for example we code to e.g. MySQL specs, why don't we do something similar, like use PKCS#7 or CMS here. Also, why does ESAPI care how a crypto algorithm is implemented, I really don't think we want to try to stand behind algorithms, we're not the open crypto project, we're just a wrapper that uses things according to best practices, FIPS 140 or no for example. It's our use of algorithms and key management that we should solicit reviews of.
More information about the Esapi-user