Joe Birr-Pixton

Some plans for this, but have been waiting for DTLS1.3. That is nearing completion now.

This is going to be quite a large and invasive change, I think. Internally rustls would still need to do some locking to deal with sending alerts resulting from reads,...

I think a useful addition to this PR would be std-feature-gated construction of `IpAddress` from `std::net::IpAddr`. Perhaps a From trait implementation.

I'd be happy with a function which computes a key hash from a webpki `EndEntityCert` or a ring `RSAKeyPair`. I understand the usual thing to do is hash a DER...

> if webpki-roots would be willing to implement a new API based on that. certainly. in the short term, the other thought i had was finding some root popularity data...

I think what is happening here is: the serial number is incorrectly encoded, and so is negative. This is illegal -- RFC5280: ``` The serial number MUST be a positive...

Related: golang relaxed this in https://github.com/golang/go/commit/a0ea93dea5f5741addc8c96b7ed037d0e359e33f to deal with the same issue -- see eg https://stackoverflow.com/questions/25526870/x509-parsing-error-negative-serial-number-while-pulling-repository and https://github.com/golang/go/issues/8265

> I think what is happening here is: the serial number is incorrectly encoded Just to confirm this: I cleared the sign bit in the serial number and webpki was...

I checked the CAB baseline requirements and subjectAltName is indeed required, so I've decided I also don't care very much. My knowledge of how this all works in about 10...

> Are you sure these are the semantics you want? Yes. This is a separate thing from the wosign/startcom rules. I have that on a separate branch, but it's not...