Currently verification is done using ==; this is bad because it is not a constant-time comparison. Cryptography's HMAC objects have a verify() method that does the right thing, as well as a general-purpose constant-time comparison, so now that we use Cryptography for the rest of our crypto, we should just use these.
Yes I think this is a subset of [#4536](#4536) (as is another open PR, for ticket #10086, which is disjoint from this one). I think a lot of the concerns in #4536 disappear with the availability of compare_digest() in python's stdlib.
The PR I submitted for this ticket just covers the couple cases in conch, which are I think more straightforward to resolve than a few of the other sensitive comparisons in Twisted. Hopefully this can chip away at the variety of comparisons mentioned by #4536 until that ticket is easier to resolve.