<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><span></span></div><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div dir="auto"><div><forking "HTTP Parser", thanks for reading and/or sorry in advance for any <span style="background-color: rgba(255, 255, 255, 0);">for threading issues that crop up></span></div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature"><div><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">On Nov 7, 2016, at 11:20 AM, Helge Heß via swift-server-dev <<a href="mailto:swift-server-dev@swift.org">swift-server-dev@swift.org</a>> wrote:<br></span></font></div><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);"><br>P.S.: As a sidenote, can’t someone (hm hm, who would come to mind?) sponsor the CryptoSwift guy to do a java.security like Security standard framework (which includes TLS)? That would be pretty cool :-)<br><br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">_______________________________________________<br>swift-server-dev mailing list<br><a href="mailto:swift-server-dev@swift.org">swift-server-dev@swift.org</a><br><a href="https://lists.swift.org/mailman/listinfo/swift-server-dev">https://lists.swift.org/mailman/listinfo/swift-server-dev</a><br></span></font></blockquote><div id="AppleMailSignature" style="background-color: rgba(255, 255, 255, 0);"><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div id="AppleMailSignature"><span style="background-color: rgba(255, 255, 255, 0);">Assuming we want a pure-Swift crypto framework _right now_:</span></div><br><div><span style="background-color: rgba(255, 255, 255, 0);">Before any crypto code can safely be written in Swift, there needs to be compiler support to prevent it from optimizing things incorrectly (for example, a memset() designed to clear a buffer of secret data). </span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">I may have missed discussions about this on swift-evolution (and maybe swift-server-dev is a place to flesh out a SE proposal to send their way?), but, i'm not sure if all that work's been scoped out anywhere, or if it has, what the timeframe is. ABI stability might even be a soft requirement here before anyone can reasonably get started on this.</span></div><div><br></div><div><span style="background-color: rgba(255, 255, 255, 0);">So, I don't think we really want a pure Swift crypto library yet.</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">Instead: while in C, Security.framework, and CommonCrypto.framework from are both fully open source, and battle-hardened.</span><span style="background-color: rgba(255, 255, 255, 0);"> T</span><span style="background-color: rgba(255, 255, 255, 0);">his is one of (rare) the cases where practicality and strongly deferring to the thing that already exists seem to be the safe option (and not only in opinion).</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div>Anyway, (to me) the more interesting questions that we can talk about are over API:</div><div>- what constructs are needed (bignum? secure random? hmac? checksumming? key derivation? wrapping a socket in a big TLS hug?)</div><div>- what umbrella(s) do these constructs live in? (maybe bignum is in separate framework, or hugging sockets with TLS is an i/o construct rather than a crypto construct, or.. etc)</div><div>- is there anything to explicitly not support? securing a socket with sslv2 and sslv3 seem like obvious candidates here, but maybe the API is even more opinionated and doesn't let you create weak RSA keys, etc.</div><div>- ??? other exciting things to consider here</div><div><br></div><div><span style="background-color: rgba(255, 255, 255, 0);">-z</span></div></div></div></div></body></html>