Update README.rst #60
Conversation
|
This doesn’t matter for bcrypt. |
Is that sufficient reason to reject it? |
|
My perspective is that while it's cryptographically pointless, it might promote more conscientiousness in people writing crypto which would be a good thing. @reaperhulk ? |
|
I’m usually against adding complexity to no benefit, but it’s up to the maintainers, of course. While it’s true that adding this might prompt people to check how they’re comparing other important values, it’s still a bit misleading…. |
|
@charmander's point is well-taken (and we have rejected unneeded constant time comparisons in our x509 extension layer for cryptography in the past, although that particular example significantly increased complexity), but training lay-people to assume that constant time comparison is The Way™ to do comparisons of cryptographically sensitive data is probably a win. I don't feel strongly about this either way, but I slightly lean towards saying we should leave it as-is since timing attacks are not a concern here. |
See #8