--
You received this message because you are subscribed to the Google Groups "Keyczar Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keyczar-discu...@googlegroups.com.
To post to this group, send email to keyczar...@googlegroups.com.
Visit this group at http://groups.google.com/group/keyczar-discuss.
For more options, visit https://groups.google.com/d/optout.
Thanks Shawn.
How is the K2 coming along? Is there a migration path from KeyCzar from K2?
No Shawn.It has never been the plan to make K2 interoperable with keyczar. There are just too many design problems with keyczar. Hence a fresh start was really the goal.
I'm also quite annoyed that you are constantly modifying the design goals. This is very disrupting and really doesn't help the project in any way.
Maybe some background would help -- I'm trying to find a "reasonable default" in Play, for end users who have encryption needs without digging into the cryptographic primitives.The comments and Github issue are hereIt looks like Keyczar is a good engine for this, but ideally we'd like people to be able to swap out the implementations while having the same API (i.e. if you just want to encrypt, there shouldn't be a difference between KeyCzar and K2). But if we can't put together a generic enough play.api.libs.crypto API, then packaging KeyCzar with Play and working with it directly is probably the best option.
Right, well… I don’t know of any cryptographic solution that isn’t too low level and OOTB configured for footgun operation, so it’s the API ergonomics I’m really concerned about. KeyCzar is closer than anything else I’ve looked at, and Play can severely constrain and document the more dangerous use cases (as in the case of HTTPS https://www.playframework.com/documentation/2.3.6/LooseSSL).
What’s your recommendation?
On Tue, Jul 7, 2015 at 2:09 AM 'Daniel Bleichenbacher' via Keyczar Discuss <keyczar...@googlegroups.com> wrote:No Shawn.It has never been the plan to make K2 interoperable with keyczar. There are just too many design problems with keyczar. Hence a fresh start was really the goal.We (Andrew and I, at least) planned from the beginning to make the message formatting and other relevant bits pluggable and to include KeyCzar modules. That was a low-priority goal, though.
Please stop pretending that K2 is your idea. This is getting annoying.
On Wed, Jul 8, 2015 at 4:23 AM 'Daniel Bleichenbacher' via Keyczar Discuss <keyczar...@googlegroups.com> wrote:Please stop pretending that K2 is your idea. This is getting annoying.To be precise, what I present as the goals for K2 are the ones that my team came up with. They're the ones that are most important to me, and so are the way I describe the project. When we met with you to discuss the concept those ideas got blended with yours to produce a combined approach, which was labeled with the project name you came up with. I should be more careful to include your goals in my description of the project, I suppose.
Regarding message formatting, during our initial planning meeting in Zurich I know Andrew and I mentioned the idea of providing an interoperability option. I don't recall if you responded, but I do know that you didn't object at the time, because we'd have discussed it in more depth if you had.
In any case, this is a discussion that's more appropriate for the K2 forum.
Wow, Shawn.You are calling design docs written behind my back with dozens of serious design flaws a "combined approach"?
It does belong here. You are trying to sell keyczar. The library is badly maintained and out of date. You are trying to offset this by claiming it
will be somehow compatible with a new library.