A writer I used to read did an annual Christmas guide for kitchen gifts. It started out interestingly, or at least idiosyncratically (they were weirdly enamored with the Thermomix, a blender that also cooks food and is only really available in Europe). But as it went on, they'd invariably get to the point where they were writing paragraphs about individual spoons, and not interesting ones but the kinds you can get off the shelf at Williams Sonoma or whatever. It became clear that they just really liked writing about their kitchen.<p>That's the vibe here. There's something to be said for an article that forthrightly declares "here are all my idiosyncratic opinions about implementing cryptography". But this one instead purports to be offering guidance to developers. That's a little troublesome, because reasons:<p>* Some of these opinions are pretty outré, such as the encouragement to compose your own CTR-based encrypt-then-MAC out of XChaCha20 and a Blake2b KMAC because... key committing? It's fine to have this opinion and to argue it forcefully but if you're offering guidance, it should probably include the fact that in most situations, simply using a Seal/Unseal AEAD is a more-than-cromulent call.<p>* Some of them seem factually off? I'm no advocate for RSA, but the idea that you should avoid RSA-KEM because it's "worse than using hybrid encryption" --- RSA-KEM is a construction for doing hybrid encryption! (RSA-KEM, roughly: fill the RSA modulus with a full-width random number, then HKDF it to generate a symmetric key).<p>* Some of this gets into Applied Cryptography levels of trivia; for instance: it is probably not all that important to tell developers to avoid Streebog, Meowhash, and SHAcrypt ("nobody uses this, and I’ve never even seen it in a cryptographic library").<p>* A bunch of things have landed on this guy's shitlist for no reason other than not having seen them in many places? This includes SIV (this author really doesn't like SIV), Blake2s, Kangaroo12, any PAKE, or any PQC (note: this follows an earlier recommendation <i>to</i> use PQC). "They're all bad".<p>* There's a bunch of random NSA FUD sprinkled across this; for instance, "SHA2 was designed behind closed doors at the NSA", as if any serious practitioner avoids SHA2, or "P-256 is probably the most popular curve, the seeds for these curves haven’t been explained, which is not a good look considering that Dual_EC_DRBG was a NIST standard despite containing an NSA backdoor" --- Dual EC being basically unrelated to the NIST P-curves, you might as well apply the same logic to SHA2.<p>None of this is like, disqualifying, especially if you're doing a "this is what makes me tick" kind of article, but I think the title it has right now is missing a word before "developer".<p>Colin Percival kicked off this genre of articles with his "Cryptographic Right Answers", which I recall as essentially being a subtextual argument against elliptic curve cryptography. I found his recommendations a little odd (what set me off was probably "Use RSAES-OAEP with SHA256 as the hash function, MGF1+SHA256 as the mask generation function") and set out to write a "Crypographic Right Answers" that fit the zeitgeist as I understood it --- ChaPoly, Nacl/Sodium, Curve25519 and Ed25519. I updated that article at Latacora to be much more prescriptive, and have kind of regretted it; it had become a step back towards what Colin had done, a docket of fiddly decisions we would have made if you contracted us to design something, but not really a reflection of any kind of accepted best practices in our field.<p>We have come full circle with stuff like this, which describes the best practices of exactly one developer in the world, the author. Again, fair enough. But maybe we can just kill this species of post off now.