Future of the EXPath Crypto spec and libs

[joewiz]

As I mentioned on last Monday's eXist-db Community Call, @claudius108 informed me of the good news that he is working on a PhD. Congratulations, Claudius!

For the EXPath community, this means that we need to find new maintainers for the EXPath Crypto java library and eXist implementations and a new editor for the underlying specification. Respectively, these projects reside in https://github.com/claudius108/crypto-java-lib and https://github.com/eXist-db/crypto-exist-java-lib, and Claudius's most recent work on the v2 of the spec lives in https://github.com/claudius108/expath-cg/commits/master/specs/crypto (a fork of https://github.com/expath/expath-cg/commits/master/specs/crypto).

To my knowledge, past contributions to the crypto project besides Claudius's have come from @chakl, @adamretter, and @nsincaglia. I also know that @ChristianGruen has implemented the crypto spec for BaseX (see https://docs.basex.org/wiki/Cryptographic_Module). It's great that we have 2 implementations of the Crypto spec, and I think this state of affairs should continue if at all possible.

I would be grateful if Olaf, Adam, Nick, Christian, or any members of the EXPath, BaseX, and eXist (@eXist-db/core) communities could chime in here with their priorities for the future of this project. I know that many projects rely on the crypto library, including mine. It would be great to know what plans, if any, are currently in place for continued maintenance or development of this project.

To start discussion off, my project depends on the crypto library: one app that talks to the Twitter API uses the crypto:hmac function, and another that talks to the Amazon AWS S3 API uses the crypto:hash function. I recall that @chakl extended the crypto library to perform some functions needed for the eXist SAML implementation.

So, here are my questions:

1. What are you using the Crypto lib for?
2. What resources could you provide for continued maintenance or development of the EXPath Crypto spec and/or libs?

p.s. Thanks to @claudius108 for his enormous contributions as editor and implementor of the EXPath Crypto spec! Good luck in your endeavors!

[adamretter]

1. What are you using the Crypto lib for?

I don't use it myself.

2. What resources could you provide for continued maintenance or development of the EXPath Crypto spec and/or libs?

If there is interest and there was a group (of 2+ people) who wanted to work on a v2 spec, I would like to be involved in that and would invest time in the spec work. If a v2 spec were built and finalised, we would then likely implement it for FusionDB.

[ChristianGruen]

Hi Joe,

1. What are you using the Crypto lib for?

I have used one or the other function in the past, sometimes in combination with functions from the BaseX Hashing Module.

2. What resources could you provide for continued maintenance or development of the EXPath Crypto spec and/or libs?

I guess I won’t have time to get fully involved. Similar as in the past, though, I’ll be happy to give feedback on new drafts of the spec.

Cheers, Christian

[line-o]

Speaking on behalf of exist solutions: we are invested and committed to further develop the crypto-lib and also to take part in an effort to finalize the specification. The short-term goal is a working crypto-lib for the upcoming release of exist-db.

What are you using the Crypto lib for?

The implementation of https://github.com/eXistSolutions/exist-jwt depends on the crypto-lib.

[nsincaglia]

1 What are you using the Crypto lib for?

We use the EXPath Crypto module for a lot of different things. We use it to calculate file hashsums before we transfer them over the internet so that the recipient of data we send can verify that the data has not been corrupted during transmission. We have also developed a variety of RESTful web service modules to connect to 3rd party services such as AWS (S3, SQS, SNS, Transcoder), Box.com, Dropbox, Azure Cloud Storage, Google (Drive, Sheets, BigQuery, Functions, Analytics). All of these 3rd party APIs have security and each is slightly different from each other.

2. What resources could you provide for continued maintenance or development of the EXPath Crypto spec and/or libs?

I spoke with Lars at eXist Solutions recently and mentioned I was interested in sponsoring this work. Because we interface with so many different web APIs, we can spend a good amount of time trying to get the Crypto module to implement a security mechanism we need and if it does not work, we have spend a lot of time trying to get enough information to convey where the module is deficient for our situation. And then there is a challenge to find help to address changes we need because very few people know enough about cryptography, the Expath Package spec and eXist-db. It is a difficult code base to jump into cold because cryptography is complex and difficult to debug. We have been incredibly grateful to Claudius and Adam for helping us over the years. I sure it has been challenging for them to provide help because our requests come expected and they are both very busy.

Nick