Tony Arcieri

No code is written like that today. Those types all take care of zeroizing themselves, and the drop impls are gated on the `zeroize` feature. `Zod` can't help there, because...

To do that, add a `Zeroize` impl on `Sha256` instead of a `Drop` impl, then `Hmac` can call zeroize on `Sha256` on drop. That's what I was saying earlier: >...

> No, in my opinion, you can not. I think it's incorrect to implement Zeroize for complex types like Sha256 and Aes128, since zeroized state may not be a valid...

You explicitly mentioned not wanting to leave `Sha256` in a bad state after zeroization. Using `DefaultIsZeros` makes `zeroize()` synonymous with `reset()`.

> For example, non secret mode can be useful for ephemeral cipher instances stored on stack which get erased by stack bleaching after necessary computations with the cipher are completed....

> Firstly, DefaultIsZeroes is currently bounded by Copy, so it can not be applied to Sha256. Secondly, block-buffer may in future use uninitialized memory for default state and I am...

@nstilt1 it's `unsafe` which should hopefully make people pause and read the instructions before considering it (famous last words, I know)

The typical KMS-style key rotation approach is to issue a new key, use that for new credentials, but keeping the old key valid for some time window which doesn’t immediately...

I'm still confused why these are necessary. The `Aead` and `AeadInPlace` traits already provide access to the original tag as part of the original message. With a breaking change we...

But if you have a generic implementation of committing AEADs, what is the purpose of the trait? Abstracting over that and potential future constructions?