[guitarbill]

One of they devs did say "C is a bad language to implement parsers for e.g. ASN.1". Unfortunately, there are enough examples out there [0] to prove him right. Not all of them will be mitigated by Rust (e.g. something like CVE-2019-17359), but it's probably worth it long-term (idk, i don't feel the pain of security issues day-to-day, only occasionally).

[0] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asn.1

[pornel]

To add data on the Rust side:

https://github.com/rust-fuzz/trophy-case

there are a few Rust ASN implementations. They've been caught running out of memory and having arithmetic overflows, but no segfaults or use-after-frees. Rust doesn't prevent all problems, but things that slip through tend to be less severe.

[dalai]

One could ask whether python would have been an option for writing the parser. There is for example the asn1crypto library, which is pure python.

[xxpor]

I'd have to assume the issue there is really speed.

Edit: @alex made a much better comment here:

https://github.com/pyca/cryptography/issues/5771#issuecommen...

One point that I didn't think of, but makes a ton of sense:

>There's no way to implement constant-time code in pure Python securely