So you want to serialize some DER?

https://alexgaynor.net/2025/jun/20/serialize-some-der/

76•lukastyrychtr•7mo ago

Comments

PeeMcGee•7mo ago

The post title is misleading and the content reads more like a guerilla advertisement for claude. TL;DR: author works for Anthropic, and used claude to implement an optimization for LLVM.

quentinp•7mo ago

He’s also well respected in the Python community for maintaining the cryptography package, partially written in Rust. This is just a random blog post, not an ad.

lmm•7mo ago

Maybe. But the fact they work for Anthropic is very relevant and changes my impression of the post quite a lot.

__alexs•7mo ago

FWIW Having worked a lot with Alex on cryptography he seems almost entirely incapable of doing something that I would normally consider an advert.

Sometimes people have good experiences with tools and like to share them.

brabel•7mo ago

The author has added a note in the beginning of the post now making it clear that he works for Anthropic, which may explain the fixation on Claude Code!

benmmurphy•7mo ago

having two very different code paths for measuring the length of the DER buffer and writing the DER sounds very scary. i guess its fine with Rust but the idea would give me the heebee-jeebies for any other language unless they are using a safe buffer implementation. i would find it hard to trust that there is no buffer overflow based on divergent behaviour between the two functions.

tptacek•7mo ago

This piece starts out super-duper inside baseball (optimizing DER encoding for, in the main, X.509 certificate handling) in Rust code that is increasingly leveraged by Python's cryptography stack. But it ends up somewhere crazy: with an LLM agent apparently one-shotting an LLVM optimization, then semiformally verifying the change, which is ultimately merged by the LLVM team.

ggm•7mo ago

So many encoding rules. DER, PER. It's an xkcd cartoon but inside one asn.1 standard!

dathinab•7mo ago

it's as much one standard as OIDC is ;)

(as in it isn't one standard but a group of standards, like asn.1 without any encoding is split in ~4 standards by itself. Through to be fair all or CER, BER and DER are in the same standard. But PER is another standard, so is XER, OER, JER, GSER, RXER each and others.)

jnwatson•7mo ago

The standard is 41 years old, so there has been plenty of time for extensions.

Practically, the useful encodings are DER, which is canonical and used for crypto, and XER, which is human-readable.

It is a neat spec, chock-full of great ideas. Unfortunately, given its age, there have been many bad implementations of it.

zzo38computer•7mo ago

> There’s only one encoding I choose to acknowledge, which is DER (the Distinguished Encoding Representation, it’s got a monocle and tophat).

I also prefer to use DER, because it is better than BER and CER. DER is actually a subset of BER but BER has some messiness which is avoided by DER; because there are not as any ways to encode data by DER this makes it simpler to handle.

DER is also the format used by X.509 certificates, so this is fortunate; however, I use DER for other stuff too (since I think it is generally better than XML, JSON, CSV, etc).

I wrote a library in C to serialize and deserialize DER.

NoahZuniga•7mo ago

DER encoding is in fact unique.

simonw•7mo ago

The most interesting part of this post is the bit about half way down, where Alex uses Claude to help identify a missing compiler optimization in LLVM... and then uses Claude Code to implement that optimization and gets a PR accepted to LLVM itself! https://github.com/llvm/llvm-project/pull/142869

CJefferson•7mo ago

I feel this is going to be the thing which really boosts automated theory proving.

Up until now it's always been a hard sell, people say "Well, I can prove it myself, and that's less work than getting the computer to prove it", and they weren't completely wrong.

However, now we have LLMs which can do lots of interesting work, but really can't be trusted for anything important (like an LLVM optimisation pass, for example). If those LLMs can convince a theorem prover the LLVM optimisation pass is correct, then suddenly their output is much more useful.

tialaramex•7mo ago

One concern here is that proofs don't necessarily prove what we intuitively think they do. So we need to be very careful to understand what we actually proved.

The TLS 1.3 "Selfie attack" is an example of a gap between what we did prove and what we intuitively understood.

The formal proof for TLS 1.3 says Alice talking to Bob gets all the defined benefits of this protocol, and one option is they have a Pre-shared Key (PSK) for that conversation. They both know the same key, in that sense it's symmetric.

But the human intuition is that we're talking about an Alice+Bob key, whereas the proof says this is an Alice->Bob conversation key. If we re-use the same PSK for Bob->Alice conversations too we get the Selfie Attack, the formal proof never said we can expect that to work, it was just our intuition which confused us.

GoblinSlayer•7mo ago

The article says the proof only considered session resumption PSK, and overlooked out of band PSK, which was left for future work. Maybe if they could have a list of features, but TLS is too complex for that.

Also PSK involves sending a PSK identity, which is supposed to be used to find the PSK, in particular it can be a user name, so the server can check the user name is correct.

You are the reason I am not reviewing this PR

Show HN: FamilyMemories.video – Turn static old photos into 5s AI videos

How Meta Made Linux a Planet-Scale Load Balancer

A Turing Test for AI Coding

How to Identify and Eliminate Unused AWS Resources

A2CDVI – HDMI output from from the Apple IIc's digital video output connector

CLI for Common Playwright Actions

Would you use an e-commerce platform that shares transaction fees with users?

Show HN: SafeClaw – a way to manage multiple Claude Code instances in containers

The Future of the Global Open-Source AI Ecosystem: From DeepSeek to AI+

The Evolution of the Interface

Azure: Virtual network routing appliance overview

Seedance2 – multi-shot AI video generation

Πfs – The Data-Free Filesystem

Go-busybox: A sandboxable port of busybox for AI agents

Quantization-Aware Distillation for NVFP4 Inference Accuracy Recovery [pdf]

xAI Merger Poses Bigger Threat to OpenAI, Anthropic

Atlas Airborne (Boston Dynamics and RAI Institute) [video]

Zen Tools

Is the Detachment in the Room? – Agents, Cruelty, and Empathy

The purpose of Continuous Integration is to fail

Apfelstrudel: Live coding music environment with AI agent chat

What Is Stoicism?

What happens when a neighborhood is built around a farm

Every major galaxy is speeding away from the Milky Way, except one

Extreme Inequality Presages the Revolt Against It

There's no such thing as "tech" (Ten years later)

What Really Killed Flash Player: A Six-Year Campaign of Deliberate Platform Work

Ask HN: Anyone orchestrating multiple AI coding agents in parallel?

Show HN: Knowledge-Bank