"Leichter, Jerry" <[EMAIL PROTECTED]> writes:

>A several year old paper by Kaliski discussed using the ASN.1 OID to store
>data in.

Damn, beat me to it :-).

>It has slightly different properties, but the lesson in this context is that
>implementations must properly check the ASN.1 OID field too.

The problem is that no amount of checking can catch this.  If you register the
OID or otherwise get it into some standard somewhere, then it's kosher as far
as anyone's concerned.  There's no "check" that can catch it if you're
required (by a standard, by a client, by bilateral agreement, etc) to accept
that OID.

(There's been at least one case where random OIDs have been used in the past.
 Since it's a pain to register them, a large vendor generated them randomly
 beneath an arc registered to them.  Although this is kind of weird and I'm
 sure was never meant to be done this way, there's nothing inherently invalid
 about this).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to