> Today, I maintain the cryptography packages that ship as part of the Go standard library (crypto/… and golang.org/x/crypto/…), including the TLS, SSH, and low-level implementations, such as elliptic curves, RSA, and ciphers. These packages are critical to virtually every Go application, securing HTTPS requests, implementing authentication, and providing encryption.
I'm no cryptographer so I might be misunderstanding how all this works (also why I have to rely on whatever signal I can catch instead of just reviewing the code myself like with other more mundane dependencies), but it was my impression that in cryptography things were to be considered with skepticism until at least someone else (emphasis on "someone else") with good enough credentials/skills had attempted to break it at least once.
Because the vast majority of new works are not done by one of the few who would be qualified to check it.
You can think of the cryptography community as similar to the math community. If some nobody makes a new proof of a big conjecture, it is considered with skepticism until some big name comes around to verify it. If Terence Tao comes out with a new proof in one of his specialities, people are going to assume it's basically correct or will have only very minor errors that are easily fixed.
Have you seen Filippo's credentials? He's overwhelmingly qualified for this. https://github.com/FiloSottile
> Today, I maintain the cryptography packages that ship as part of the Go standard library (crypto/… and golang.org/x/crypto/…), including the TLS, SSH, and low-level implementations, such as elliptic curves, RSA, and ciphers. These packages are critical to virtually every Go application, securing HTTPS requests, implementing authentication, and providing encryption.