Perform a code and security audit

[rmhrisk]

Before this code is used in production systems a code and security audit should be performed.

[gnarea]

Hey @rmhrisk.

I'll request an independent security audit for https://github.com/relaycorp/relaynet-core-js in a few months, and it depends on PKI.js for X.509, CMS EnvelopedData and CMS SignedData support, so I'll make sure to have PKI.js covered in that audit (at least the parts relevant to relaynet-core-js).

What would be the best way to liaise with you on any findings related to PKI.js? The README seems to suggest that security vulnerabilities should be reported on the issue tracker, but presumably you wouldn't want to have any critical issue publicly disclosed before there's a fix?

[rmhrisk]

To be clear PKIjs is used in many production applications and as part of that it has gone under many partial security reviews as part of the release processes used or those applications.

Above that we too have done our own security reviews (several in fact over the life of the project).

This bug was intended to track getting a complete independent review performed that would include some scope and a document that could be used by others to get an idea of the completeness and nature of those reviews.

We definitely appreciate the inclusion of PKIjs on your review process and are happy to help as you do that as well. Ryan @ PeculiarVentures is a good email for me and rmhrisk on Skype is a quick way to reach me usually.

With that said as a free open source project we have decided to rack issues in the open.

[gnarea]

Thanks Ryan! It's good to know security reviews have already been done.

[gnarea]

Hey @rmhrisk. I finally got round to requesting the security audit a few days ago. They'll focus on the stuff we're using in our projects -- namely, Certificate, EnvelopedData, SignedData and related classes. This is part of a much bigger audit and it'll probably take them a few months to get to PKI.js, but I'll post an update here when they're ready to start.