25 Apr
2014
25 Apr
'14
10:42 p.m.
On Fri, Apr 25, 2014 at 4:20 PM, William Lederer william.lederer@gmail.com wrote:
Thus, I feel Lisp is better but not a total panacea. For example, has the Ironclad library been examined by a cryptographer? Does it, for example, do constant-time comparisons to avoid timing leaks?
The answer to these (and many other questions of cryptographic sophistication) is no. Ironclad has many deficiencies that make it unsuitable for serious cryptographic software.
I'm not sure that several constant-time checks can even be implemented in Common Lisp without some serious assistance from and/or knowledge of the implementation.
-Nathan