tor-cert's Ed25519Cert has weird tor-checkable impls
Normally, the idea of a tor-checkable's Timebound
and so on is that with each verification you perform (signature check, time check) you transform the type from one indicating "property X hasn't been checked, and must be so" to a more "bare" type where property X has been checked and which can then be used without further ado.
However, Ed25519Cert
is weird. For example, we have
impl tor_checkable::Timebound<Ed25519Cert> for Ed25519Cert {
which doesn't make sense. It doesn't fit into the verification/unwrapping pattern.
The docs for Timebound
say
It’s better to wrap things in a
TimeBound
than to give them anis_valid()
valid method, so that you can make sure that nobody uses the object before checking it.
but that is only true if the checked and unchecked versions are differnet types, and the unchecked version has some impediments to misuse.
I'm not sure what the right type structure is, but IMO the current structure is wrong and confusing and unlikely to be the best compromise. However, I don't propose to do anything about this right now.
Found while reviewing !1497 (merged)