"Leichter, Jerry" <[EMAIL PROTECTED]> writes: >A several year old paper by Kaliski discussed using the ASN.1 OID to store >data in.
Damn, beat me to it :-). >It has slightly different properties, but the lesson in this context is that >implementations must properly check the ASN.1 OID field too. The problem is that no amount of checking can catch this. If you register the OID or otherwise get it into some standard somewhere, then it's kosher as far as anyone's concerned. There's no "check" that can catch it if you're required (by a standard, by a client, by bilateral agreement, etc) to accept that OID. (There's been at least one case where random OIDs have been used in the past. Since it's a pain to register them, a large vendor generated them randomly beneath an arc registered to them. Although this is kind of weird and I'm sure was never meant to be done this way, there's nothing inherently invalid about this). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]