Security Audit

[sosaucily]

Hi team, thanks for your hard work on this library, and so many others.

I'm interested in using the SRP package, and am wondering if you believe it to be production-ready, and what the process would be for getting a third-party audit firm to review it. I have some connections to various well-known firms, but I wonder if you have some in particular that you require.

Thanks!

[newpavlov]

srp needs a bit of work, it would be nice to migrate it to crypto-bigint and we have two pending PRs for it. You probably could use the current version in production, but I am not sure if the current impl is constant time.

[tarcieri]

@sosaucily we're not too picky about free audits. Some of the others have been by NCC Group and Cure53, though at least the former is somewhat notoriously backlogged

[sosaucily]

Thanks @newpavlov @tarcieri for the repsonses - I'm not too worried about constant time, as long as the worst case isn't a terrible user experience. I guess it wouldn't be noticeable during a user login flow for a standard app.

Great, thanks for the feedback. If we decide to use SRP, it will be this repo, and I'll re-engage the idea of a security audit.