I’m Filippo Valsorda, Head of Go Cryptography and Creator of Tools, Ask Me Something

Hey r / crypto, it is really soon after a curfew in Italy and I’m caught at dwelling. Question me everything! I am the chief of the Go Security Staff, and among other things, we personal all cryptocurrencies in the Go common library and in golang.org/x/crypto, including quantities and “entertaining” elliptical curve implementations. I manufactured applications this sort of as [mkcert](https://mkcert.dev) and [age](https://age-encryption.org). I produce [a newsletter](https://filippo.io/publication). i’m loud [on Twitter](https://twitter.com/FiloSottile). I have [opinions on PGP](https://arstechnica.com/facts-engineering/2016/12/op-ed-im-offering-up-on-pgp/) and [crypto APIs](https://golang.org/style/cryptography-ideas). I made [the Heartbleed test](https://filippo.io/Heartbleed) at any time. I am Italian and strongly anti-fascist. [More about me](https://weblog.filippo.io/hi/). I failed to prepare so request me about cryptography, Go, protected APIs, diving, complex rationalization, the [Recurse Center](https://recurse.com), age, usable crypto, community talking, every thing. Do not get me fired. Evidence: [my title](https://twitter.com/FiloSottile/standing/1144465918346457090), [the role](https://golang.org/protection#tmp_1), [this AmA](https://twitter.com/FiloSottile/status/1342242012372889605). ** Edit **: I’m undesirable at inquiries that demand the mental equal of a databases index, so things like “what is actually the most X” or “what is a Y” or “what would inform you Z”. I am going to try out anyway, but you may perhaps get a improved response by asking for some thing additional particular, or by delivering illustrations or context that I can remark on. ** Edit 2020-12-25T02: 10: 18Z **: okay it’s 3am and i nevertheless have to pack provides for tomorrow (we have been isolated for a number of weeks, it will be a tiny team, we will send out masks, be risk-free y’all) so I am going to simply call it a night time but maintain inquiring and I am going to check in tomorrow! ** Edit 2020-12-25T20: 59: 12Z **: Merry Christmas and Joyful Holiday seasons! I am again and will test to response all concerns with at the very least 3 factors right before unsubscribing. Thank you everybody for the terrific encounter so far. ** Edit 2020-12-25T23: 00: 23Z **: It’s a wrap! I actually enjoy how great and healthy all people was, and how enlightening the queries were being, this is a fantastic local community. I have a ton of abide by-up perform and [newsletter issue](https://filippo.io/publication) suggestions to feel about. There will also be one [follow-up conversation with Thomas H. Ptacek](https://twitter.com/FiloSottile/position/1342293403321692162) at [Twitch](https://twitch.tv/filosottile) about “Do not Roll Your Possess Crypto”! If you have any other concerns, [catch me on Twitter](https://twitter.com/FiloSottile).

About Cryptoplatforming.com

Cryptoplatforming.com is a news websites which gets news around the globe on investing in Crypto. Our news has no backgroundcheck.

45 thoughts on “I’m Filippo Valsorda, Head of Go Cryptography and Creator of Tools, Ask Me Something”

  1. In an industry where “Don’t Roll Your Own Crypto” is the common refrain, how does one become qualified to write crypto that’s safe for distribution?

  2. I was wondering how old were you when you get into crypto stuff. I always feel too old about getting into practical security as a PhD student. Do you have any starting points that you can recommend? What are the skills that I should invest on for applying to jobs like Security Engineer or Cryptography Engineer at Google or any company in the industry basically?

  3. If you could change one thing about the US, what would it be?

    What do you think about American variations on pizza like deep dish? Also, what about pineapple on pizza?

  4. Age seems like it will be the perfect tool to replace our gnupg based encrypted backups sometime in the future, looking forward to it getting to 1.0.

    – What part of Go’s std lib would you like to depreciate in Go 2?

    – What would you add to Go’s std lib?

  5. What is the main reason, you writing code without color highlighting? Is there anyone in Go team who uses it? 🙂

    Also what brought you to cryptography?

  6. What are some things “we” (meaning, loosely, the open-source, privacy-focused community) need but don’t have yet? (Software projects, algorithms, institutions, laws…)

  7. Interested in chatting about crypto at the phy layer? Id love to hear your thoughts on attack surface and auth for phy layer security schemes.

    …also, thanks for your contributions to the community, much appreciated.

  8. Do you think there’s a place for something similar to PGP to be used as a cross-application identity?

    For example, without PGP, I’d assume git signing commits would use one specific key that can’t really be used by other applications, and encrypted backups use a different key / passphrase, and encrypted messaging uses a third. And you can’t easily prove that “given that user XYZ signed this commit, we can now verify their signal account” (Even if that would require long-term keys)

    Would it make sense to try to set up a single key to be used for all of these, or is a “one key per identity” model too prone to keys being lost or stolen.

    Having every application use its own key is probably the best security-wise, I’m just thinking about if there’s any room for compatibility between all the different applications.

  9. If you were getting started in cryptography for the very first time this weekend, and had to teach yourself practically everything, what would your roadmap of resources be?

  10. Filippo I remember seeing you on the italian news when you published the heartbleed website, you made us nerds very proud.
    Here’s the question(s):

    What studies have you followed in Italy? I bet you were good at math.
    How’s life in Google? And would you ever go back to Italy for your career?

    Sorry for the many references to Italy but I’m curious about that since I’ve never heard an opinion from you 🙂

  11. I have two disjoint points that coalesce into an actual question.

    A while ago I wrote a PHP implementation of minisign.

    More recently, I wrote a blog post about end-to-end encryption, and mentioned [integrating with some sort of decentralized authority-free identity system](https://soatok.blog/2020/11/14/going-bark-a-furrys-guide-to-end-to-end-encryption/#identity-key-management) like [Gossamer](https://github.com/paragonie/libgossamer).

    Do you have any plans on making something like **age** but for digital signatures and/or PKI in the future? And if so, is this something we might collaborate on in the future? 😀

  12. Hi Filippo! I have a question about the Recurse Center: how did you come to know it and how was your experience there?
    Also… Thanks for your efforts in the crypto community!

  13. also: certificates are but one way to a name/key binding and are relic of an offline world where you couldn’t generally expect to fetch keys directly as dkim does. beyond tls, is there any reason to keep deploying certificates unless you really need the offline verification capability? from my standpoint, they just cause people to go non-linear. i mean, look at the mess they made with STIR (rfc 8226).

  14. What’s your math background like? Did you have a strong interest in math before being introduced to cryptography? Or has your passion for cryptography been the driving force for the math you’ve learned?

    One of the things I love about cryptography is that it is an amazing application of some branches of number theory that are otherwise left to the “purists” typically.

  15. Do all of the the crypto operations in golang run in constant time on all supported architectures? If not, would it be feasible to achieve this, and if so, how?

  16. I just want to thank you for mentioning cryptopals in your answers, looks like fun, I will start doing the challanges

    Do you know any similar resources for beginners?

  17. Do you have a favorite cipher, or one that was particularly fun to implement? I’m not a pro by any means, but I’m all aboard on the ARX train

  18. Hey Filippo, if someone is eager to Go’s standard library regularly and even know how to get started (say, already contributed to something minimal and/or understand the process), but don’t know what to choose, what would you suggest? Try to solve reported bugs? Try to propose new features? Try to implement approved ideas that no one seems to be working on? Do you see a clear & productive path for everyone? or is it a matter of self-discovery?


  19. Once I heard someone saying, “Anything (crypto) created by a human being is breakable by a human being.” I can’t recall who said that. I’d love to hear your opinion on this. By the way, I don’t think that statement meant technological development such as quantum computing, but more like an application of pure logic and using available tools. We still don’t know how Fermat “proved” his last theorem centuries earlier when he didn’t have mathematical tools that was available when it was proved in the 90’s. So, that’s why some part of me thinks maybe there are ways to break/decode.

  20. Considering I have the unfortunate circumstance where I have to deal with it regularly – what’s your stance on FIPS in the future?

  21. Hi Filippo, Merry Christmas!

    Any thoughts on ensuring that keys aren’t copied elsewhere in RAM (by either GC or the OS)? I know there have been issues/proposals for achieving this in Go, but do you think that anything approaching official support will actually materialize?

    Relatedly, if you were tasked with designing Yet Another Systems Programming Language, what would it look like?

  22. Do you think elliptic curve encryption has a future after the implementation of fast prime decomposition quantum algorithms?

    Can I get a trans rights?

  23. Hi Filippo! With Ed25519 support moving into the standard library from golang.org/x/crypto, are there any plans to do the same for Curve25519, or to add support for Ed448/Curve448? I absolutely love the Ed25519 APIs, by the way.

  24. Merry Xmas Filippo.
    Like many gophers, I often refer to your post on exposing go on the internet:

    But the blog post came out around the time of Go 1.8. And since then the Go crypto libraries have improved. But new attacks have also emerged.

    Do you have an updated set of recommendations?
    And how far are we from reaching the goal of getting the default crypto and http settings
    secure enough that they can be safely exposed to the internet?

  25. Hey mate! Big fan of your work I remember the hubub and news around Heartbleed and your name.

    What are your opinions of keys.pub (website and github project)?

  26. You mention that doing Cryptopals challenges has been useful to you in the past. Any other recommendations what would be worth doing nowadays to get into cryptography as a career?

  27. I had to deal with AES CBC and padding some month ago, it was a little pain, the data was big. There is no official padding included in go stdlib and many 3rd party have bugs in the padding or unpadding. Also a good Io.Reader implementation for streaming was missing.

    I know CBC is not up-to-date but if you have historically data you don’t have a choise.

    It would be nice if there would be better support for io.reader/writer also with paddings


Leave a Comment