Security audit

[rlittlefield]

Pypaseto could use a security audit by a third party to make sure any glaring issues are resolved. A good audit should probably be done after we feel like the api is somewhat stable. We should also wait for the paseto RFC to be in public review so any potential issues with the general approach to paseto can be ironed out.

Once this is ready, we just have to figure out how to pay for it.

[tim-schilling]

@rlittlefield Is there anything that can be done to start paving the way to fund the security audit? Would it be possible to identify the who will do the review and a ballpark estimate for it?

[rlittlefield]

I think https://paragonie.com/ would be a good place to start since Scott Arciszewski is the author of the original PHP reference implementation. I don't know if they would be willing or what the price would be. My intent behind the audit is more about verifying the implementation than about the protocol, so that might be a good fit. pypaseto is quite small, so perhaps the audit wouldn't be too costly.

[tim-schilling]

Do you feel that the API is stable enough to start that process? I'm new to the RFC process, but it looks like the draft was opened to the public in April 2018.

[rlittlefield]

So it looks like the answer to this question that I didn't have before, is no. the PASETO standard recently added v3 and v4, plus the work to support PASERK and/or typed keys means we are looking at some fairly big changes coming soon, both in function parameter requirements and what happens behind the scenes.

In the short term, I'm going to look into getting those changes made, and then we can revisit auditing once that calms down. I do think an audit is unlikely soon, but we can improve our security posture in effort to be production-ready. Projects including expanding our unit tests, providing an easy way to generate and load keys, and improved documentation.