So you want to serialize some DER?

https://alexgaynor.net/2025/jun/20/serialize-some-der/

76•lukastyrychtr•7mo ago

Comments

PeeMcGee•7mo ago

The post title is misleading and the content reads more like a guerilla advertisement for claude. TL;DR: author works for Anthropic, and used claude to implement an optimization for LLVM.

quentinp•7mo ago

He’s also well respected in the Python community for maintaining the cryptography package, partially written in Rust. This is just a random blog post, not an ad.

lmm•7mo ago

Maybe. But the fact they work for Anthropic is very relevant and changes my impression of the post quite a lot.

__alexs•7mo ago

FWIW Having worked a lot with Alex on cryptography he seems almost entirely incapable of doing something that I would normally consider an advert.

Sometimes people have good experiences with tools and like to share them.

brabel•7mo ago

The author has added a note in the beginning of the post now making it clear that he works for Anthropic, which may explain the fixation on Claude Code!

benmmurphy•7mo ago

having two very different code paths for measuring the length of the DER buffer and writing the DER sounds very scary. i guess its fine with Rust but the idea would give me the heebee-jeebies for any other language unless they are using a safe buffer implementation. i would find it hard to trust that there is no buffer overflow based on divergent behaviour between the two functions.

tptacek•7mo ago

This piece starts out super-duper inside baseball (optimizing DER encoding for, in the main, X.509 certificate handling) in Rust code that is increasingly leveraged by Python's cryptography stack. But it ends up somewhere crazy: with an LLM agent apparently one-shotting an LLVM optimization, then semiformally verifying the change, which is ultimately merged by the LLVM team.

ggm•7mo ago

So many encoding rules. DER, PER. It's an xkcd cartoon but inside one asn.1 standard!

dathinab•7mo ago

it's as much one standard as OIDC is ;)

(as in it isn't one standard but a group of standards, like asn.1 without any encoding is split in ~4 standards by itself. Through to be fair all or CER, BER and DER are in the same standard. But PER is another standard, so is XER, OER, JER, GSER, RXER each and others.)

jnwatson•7mo ago

The standard is 41 years old, so there has been plenty of time for extensions.

Practically, the useful encodings are DER, which is canonical and used for crypto, and XER, which is human-readable.

It is a neat spec, chock-full of great ideas. Unfortunately, given its age, there have been many bad implementations of it.

zzo38computer•7mo ago

> There’s only one encoding I choose to acknowledge, which is DER (the Distinguished Encoding Representation, it’s got a monocle and tophat).

I also prefer to use DER, because it is better than BER and CER. DER is actually a subset of BER but BER has some messiness which is avoided by DER; because there are not as any ways to encode data by DER this makes it simpler to handle.

DER is also the format used by X.509 certificates, so this is fortunate; however, I use DER for other stuff too (since I think it is generally better than XML, JSON, CSV, etc).

I wrote a library in C to serialize and deserialize DER.

NoahZuniga•7mo ago

DER encoding is in fact unique.

simonw•7mo ago

The most interesting part of this post is the bit about half way down, where Alex uses Claude to help identify a missing compiler optimization in LLVM... and then uses Claude Code to implement that optimization and gets a PR accepted to LLVM itself! https://github.com/llvm/llvm-project/pull/142869

CJefferson•7mo ago

I feel this is going to be the thing which really boosts automated theory proving.

Up until now it's always been a hard sell, people say "Well, I can prove it myself, and that's less work than getting the computer to prove it", and they weren't completely wrong.

However, now we have LLMs which can do lots of interesting work, but really can't be trusted for anything important (like an LLVM optimisation pass, for example). If those LLMs can convince a theorem prover the LLVM optimisation pass is correct, then suddenly their output is much more useful.

tialaramex•7mo ago

One concern here is that proofs don't necessarily prove what we intuitively think they do. So we need to be very careful to understand what we actually proved.

The TLS 1.3 "Selfie attack" is an example of a gap between what we did prove and what we intuitively understood.

The formal proof for TLS 1.3 says Alice talking to Bob gets all the defined benefits of this protocol, and one option is they have a Pre-shared Key (PSK) for that conversation. They both know the same key, in that sense it's symmetric.

But the human intuition is that we're talking about an Alice+Bob key, whereas the proof says this is an Alice->Bob conversation key. If we re-use the same PSK for Bob->Alice conversations too we get the Selfie Attack, the formal proof never said we can expect that to work, it was just our intuition which confused us.

GoblinSlayer•7mo ago

The article says the proof only considered session resumption PSK, and overlooked out of band PSK, which was left for future work. Maybe if they could have a list of features, but TLS is too complex for that.

Also PSK involves sending a PSK identity, which is supposed to be used to find the PSK, in particular it can be a user name, so the server can check the user name is correct.

Student makes cosmic dust in a lab, shining a light on the origin of life

In the Australian outback, we're listening for nuclear tests

'Hermès orange' iPhone sparks Apple comeback in China

Show HN: Goxe 19k Logs/S on an I5

The async builder pattern in Rust

(Golang) Self referential functions and the design of options

Show HN: Model Training Memory Simulator

Claude Code Controller

Software design is now cheap

Show HN: Are You Random? – A game that predicts your "random" choices

Poland to probe possible links between Epstein and Russia

Effectiveness of AI detection tools in identifying AI-generated articles

Warsaw Circle

Reverse Engineering Raiders of the Lost Ark for the Atari 2600

The AI4Agile Practitioners Report 2026

Digital Independence Day

What a bot hacking attempt looks like: SQL injections galore

Show HN: FlashMesh – An encrypted file mesh across Google Drive and Dropbox

Show HN: AgentLens – Open-source observability and audit trail for AI agents

Show HN: ShipClaw – Deploy OpenClaw to the Cloud in One Click

Unlock the Power of Real-Time Google Trends Visit: Www.daily-Trending.org

Explanation of British Class System

Show HN: Jwtpeek – minimal, user-friendly JWT inspector in Go

Willow – Protocols for an uncertain future [video]

Feedback on a client-side, privacy-first PDF editor I built

Clay Christensen's Milkshake Marketing (2011)

Show HN: WeaveMind – AI Workflows with human-in-the-loop

Show HN: Seedream 5.0: free AI image generator that claims strong text rendering

A contributor trust management system based on explicit vouches

Show HN: Analyzing 9 years of HN side projects that reached $500/month