| ▲ | tialaramex 12 hours ago | ||||||||||||||||
It is extremely common that a correct implementation also has excellent performance. Also, even if somebody else can go faster by not being correct, what use is the wrong answer? https://nitter.net/magdraws/status/1551612747569299458 | |||||||||||||||||
| ▲ | woodruffw 12 hours ago | parent | next [-] | ||||||||||||||||
> It is extremely common that a correct implementation also has excellent performance. I think that's true in general, but in the case of X.509 path validation it's not a given: the path construction algorithm is non-trivial, and requires quadratic searches (e.g. of name constraints against subjects/SANs). An incorrect implementation could be faster by just not doing those things, which is often fine (for example, nothing really explodes if an EE doesn't have a SAN[1]). I think one of the things that's interesting in the PyCA case is that it commits to doing a lot of cross-checking/policy work that is "extra" on paper but stills comes out on top of OpenSSL. [1]: https://x509-limbo.com/testcases/webpki/#webpkisanno-san | |||||||||||||||||
| ▲ | jmspring 12 hours ago | parent | prev [-] | ||||||||||||||||
I’d say correct common path. OpenSSL due to hand waving deals with a lot of edge cases the correct path doesn’t handle. Even libraries like libnss suffers from this. | |||||||||||||||||
| |||||||||||||||||