Guide: Basic cryptography

[pilcrowonpaper]

• Hash (SHA-1/2/3)
• HMAC
• Private/public key (RSA, ECDSA)

[identitymonk]

You should not encourage people to run their own cryptography.

[pilcrowonpaper]

@identitymonk Not on how to implement crypto stuff. Just the various encoding formats and when/how to use them. Like https://thecopenhagenbook.com/cryptography/ecdsa

[identitymonk]

Like you said yourself this guide is about explaining and implementing OAuth2/OIDC only.

There are plenty of guides for the equivalent on the cryptographic front. By adding your own section to the mix you:

1. Giving the impression that the reader needs to do this
2. You are forced to be exact and up-to-date, otherwise you will misguide people and could be held accountable
3. You are forced to write big uppercase and bold disclaimer like in the following section:

In the most basic form, hashing is a one-way process to generate a unique representation of the input. The same input should result in the same hash. Unlike encryption, it is not reversible - you can't get the original data from the hash. Popular examples include MD5, SHA-1, and SHA-256 - DO NOT USE THESE FOR PASSWORDS.

The point (3) is very disturbing. Readers are like "oh this si what I should do. Oh wait.... I should not do it. what should I do then?"

[pilcrowonpaper]

@identitymonk

Like you said yourself this guide is about explaining and implementing OAuth2/OIDC only.

Where did I say that?

As such, slow hashing algorithms specifically designed for passwords are used. Common hashing algorithms like SHA-256 are designed to be as fast as possible.

It's written below it? And then it explains common parameters for Argon2id/Scrypt/Bcrypt.

I'm not really sure what the issue is? The point of the book is to provide info on these kind of low level stuff.