briansmith (u/briansmith)

briansmith commented on Apple Studio Display and Studio Display XDR apple.com/newsroom/2026/0... · Posted by u/victorbjorklund

bsimpson · 11 days ago

As long as we're here:

What are people's current favorites for a 5K 27" screen that doesn't cost as much as a whole damned computer?

briansmith · 11 days ago

BenQ PD2730S.

briansmith commented on The Pain That Is GitHub Actions feldera.com/blog/the-pain... · Posted by u/qianli_cs

yoyohello13 · a year ago

Glad I’m not the only one. GitLab runners just make sense to me. A container you run scripts in.

I have some GitHub actions for some side projects and it just seems so much more confusing to setup for some reason.

briansmith · a year ago

Actions have special integration with GitHub (e.g. they can annotate the pull request review UI) using an API. If you forgo that integration, then you can absolutely use GitHub Actions like "a container you run scripts in." This is the advice that is usually given in every thread about GitHub Actions.

briansmith commented on Constant-Time Code: The Pessimist Case [pdf] eprint.iacr.org/2025/435.... · Posted by u/yuedongze

briansmith · a year ago

At https://rwc.iacr.org/2025/program.php you can see there is a talk scheduled to be given in a couple weeks titled "Testing Side-channel Security of Cryptographic Implementations against Future Microarchitectures" with the following bits in the abstract: "Using this framework, we conduct an empirical study of 18 proposed microarchitectural optimizations on 25 implementations of eight cryptographic primitives in five popular libraries. We find that every implementation would contain secret-dependent leaks, sometimes sufficient to recover a victim’s secret key, if these optimizations were realized. Ironically, some leaks are possible only because of coding idioms used to prevent leaks under the standard constant-time model."

briansmith commented on Intent to end OCSP service letsencrypt.org/2024/07/2... · Posted by u/soheilpro

blahgeek · 2 years ago

I don't get the OCSP Stampling protocol: if the server needs / is able to to contact the CA frequently anyway, why not simply use very short-lived certificates?

briansmith · 2 years ago

Which CA's will issue short-lived certificates without negotiating a custom ($$$) contract with them?

briansmith commented on AWS Libcrypto for Rust github.com/aws/aws-lc-rs... · Posted by u/jrpelkonen

JoshTriplett · 2 years ago

One reason: you can use this as a backend to rustls, and then you no longer have anything under the OpenSSL license in your dependencies, which improves the license compatibility of your project.

briansmith · 2 years ago

Again, this is just a temporary situation, and a matter of burning down a list of small tasks. Not that the OpenSSL license issue is a big deal for most anyway. Feel free to help; see this issue filed by Josh Triplett: https://github.com/briansmith/ring/issues/1318#issuecomment-...

briansmith commented on AWS Libcrypto for Rust github.com/aws/aws-lc-rs... · Posted by u/jrpelkonen

jrpelkonen · 2 years ago

Maybe so, but pretty much all cryptographic primitives have to be written in assembly anyway to achieve constant time operation. Furthermore, it has a ring compatible API, and it is evidently faster than ring itself[1].

[1] https://www.memorysafety.org/blog/rustls-performance/

briansmith · 2 years ago

> Maybe so, but pretty much all cryptographic primitives have to be written in assembly anyway to achieve constant time operation.

This really oversimplifies the situation. Even at my most pessimistic, I believe just a very few, very small, parts need to be written in assembly language to maintain the "constant time" properties, and that's just until we can work together better with the Rust language team to eliminate these small gaps. Even before then, the Rust language team is doing a good job at independently improving and expanding the building blocks we need to get to entirely-safe (in the Rust `unsafe` sense) and high-performance crypto libraries in Rust.

> evidently faster than ring itself[1].

If you're running on an AVX-512 system, there is a notable performance gap, temporarily. This state will persist for a few months at most, most likely. It's inevitable that we (all the OpenSSL forks, and even including non-OpenSSL-forks like rust-crypto) all converge on more-or-less the same implementations and/or different implementations of the same optimizations.