Florian Weimer wrote:
Photuris uses a baroque variable-length integer encoding similar to that of OpenPGP, a clear warning sign. 8-/
Actually, if one variable-length integer encoding is used instead of 5 other formats in all sorts of strange places, I'd say this is a good sign. Although I didn't originally like the variable-length integer I've seen used, I've come to appreciate how much simpler and thus much more secure it makes the code.
The protocol also contains nested containers which may specify conflicting lengths. This is one common source of parser bugs.
Containers for things are inevitable. I've found they should be encapsulated in their own protected container, so that bugs do not cross boundaries. Yes, this makes for redundancy and possibly conflict, but wasn't it said that in security programming, we should be precise in what we write out and precise in what we accept? Any conflict - reject it. iang PS: I think it was Dan Bernstein who said that, in opposition to the aphorism "be gentle in what you accept?" --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
