advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

Add notice `ed25519-dalek`

Open pinkforest opened this issue 3 years ago • 0 comments

Closes #1360

NOTE: This does NOT necessarily mean the crypto on ed25519-dalek is inherently broken or insecure as of now

e.g. Depending on how we classify / see broken / insecure - people often see crypto-failure where pub API was not misused

https://github.com/dalek-cryptography/ed25519-dalek/issues/192 https://github.com/dalek-cryptography/ed25519-dalek/issues/209 https://github.com/dalek-cryptography/ed25519-dalek/pull/205

Question is whether this should be informational / unmaintained or informational / notice ..

or even a crypto-failure at this stage ?

How conservative should we be here considering the potential exploit requires pub API misuse

There is crypto-failure since it's crypto lib after all :woman_shrugging:

Or maybe we can push out the first ever informational = "notice" :thinking: :thought_balloon:

ed25519-compact I've asked Frank about formal verification report status: https://github.com/jedisct1/rust-ed25519-compact/issues/13

pinkforest avatar Aug 14 '22 09:08 pinkforest