Skip to content

Document approved cryptographic algorithms for the project #679

New issue
New issue
Open
Open
Document approved cryptographic algorithms for the project#679
Labels
ASVSAnything related to ASVS requirementsL1ASVS L1 requirementdocumentationImprovements or additions to documentationsecurityIssues related to security posture
@andrewmusselman

Description

@andrewmusselman
andrewmusselman
opened on Feb 17, 2026

ASVS References: 11.3.2 (Recommendation 4), 11.4.1 (Suggestion 1)

Description

Multiple audits recommend creating an explicit cryptographic algorithm inventory document. The codebase uses a strong set of algorithms (BLAKE3, SHA3-256, SHA-256, SHA-512 for hashing; HS256/RS256 for JWT; secrets module for RNG), but there is no centralized documentation listing:

  • Approved hash algorithms and their intended use cases
  • Approved symmetric ciphers and modes
  • Approved asymmetric algorithms and minimum key sizes
  • Expected GPG/PGP configuration for signature verification environments
  • Minimum key strength requirements for pgpy operations

A documented cryptographic policy would simplify future audits and help contributors make consistent algorithm choices.

Severity

Informational — Process improvement, not a code vulnerability.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ASVSAnything related to ASVS requirementsL1ASVS L1 requirementdocumentationImprovements or additions to documentationsecurityIssues related to security posture

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions