* William Allen Simpson: > Florian Weimer wrote: >> Photuris uses a baroque variable-length integer encoding similar to >> that of OpenPGP, a clear warning sign. 8-/ > > On the contrary: > > + a VERY SIMPLE "variable-length integer encoding", where every number > has EXACTLY ONE possible representation (unlike ASN.1 which even the > spell-checker wants to replace with assinine). > > + "similar to that of OpenPGP", the most common Open Source security > software of the era, where the code could be easily reused (as it > was in the initial implementation).
Even back then, the integer encoding was considered to be a mistake. | I concur completely. I once got so fed up with this habit that I | tromped around the office singing, "Every bit is sacred / Every bit | is great / When a bit is wasted / Phil gets quite irate." | | Consider this to be one of the prime things to correct. Personally, | I think that numbers should never (well, hardly ever) be smaller | than 32 bits. (Jon Callas, 1997-08-08) >> The protocol also contains >> nested containers which may specify conflicting lengths. This is one >> common source of parser bugs. >> > On the contrary, where are internal nested containers in the protocol? Variable-length integers within other fields, for example. You can't avoid this phenomenon in its entirety, of course, without sacrificing some of the advantages of a binary encoding. > Again, the ISAKMP flaws were foreseeable and avoidable. And Photuris > was written before the existence of ISAKMP. I like ISAKMP as much as the next guy, but somehow I doubt that simpler protocols necessarily lead to more robust software. Sure, less effort is needed to implement them, but writing robust code still comes at an extra cost. *sigh* --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
