David Benjamin

(Updated the second commit to hopefully fix the lint errors.)

Note that limits on e are necessary to avoid DoS attacks. Many applications, such as TLS and X.509, check signatures from externally-supplied RSA keys. Without bounds on e, RSA scales...

Costs for e aren't just the Hamming weight, though yes checking that _in addition to the bit length_ could give a tighter bound. The cost is bit_length squares and hamming_weight...

I don't think that scenario is a good justification for adding trailers to the platform. It seems much better addressed by looking at timing and when bytes come out of...

@annevk I agree that `postMessage` has tracking potential for cross-site cases, but I don't think they're *quite* the same. In the long-term, I think WebID or something similar is the...

If we do this, we need to be careful about what "reserved" means here. `__Host-` and `__Secure-` also relied on them being accepted in existing clients, or else they would...

I think I agree with @manxorist that the code is a strict aliasing violation. (Though I might suggest a less combative tone.) Compilers have to reason about more local data...

A streaming interface would be problematic for individual HPKE encryptions for the same reason it's problematic for AEADs: https://www.imperialviolet.org/2014/06/27/streamingencryption.html https://www.imperialviolet.org/2015/05/16/aeads.html#:~:text=AEADs%20with%20large%20plaintexts However, HPKE contexts *do* support multiple encryptions (there's a sequence...

Hrm. Could you expand on why you think it's the former? For some background, the specification of HPKE is here: https://www.ietf.org/archive/id/draft-irtf-cfrg-hpke-12.html @chris-wood is one of the spec editors and can...

> It might be a good idea to abandon the whole concept of creating additional SSL_SESSION structures for TLSv1.3 tickets. Be careful here. It is very easy to introduce race...