Document the security mechanisms used

[gggeek]

It would be nice to know a bit more about how encryption is used in this project, so that would-be users can evaluate it easily before adoption and testing.

Things like what data is encrypted, when and how, and what is not.

Having a threat model document would be wonderful, describing common attack scenarios and whether this app is good to prevent them. Such as:

• network sniffing (esp. in cybercafe scenarios where a mitm could be done even if you are using https, via a malevolent dns server and stolen root certs)
• reading data in-memory of the php app (or its logs and source code)
• are the passwords safe from dbas or anyone stealing the db
• etc...