On 09/18/2008 09:48 PM, Kyle Hamilton: > There's another, more pressing issue: > > If there are buffer overflows in ASN.1 parsing (there have been in at > the least OpenSSL and Microsoft's), anyone who can provide a > certificate that points to an AIA that ultimately wouldn't be trusted > could provide malicious data that could compromise the issue. >
Very interesting Kyle. So how do you propose to solve the problem? Any server can send a server certificate including the chain which could provide malicious data! This isn't unique to the AIA extension obviously. A rough server can do that as well? And perhaps gain EV status even? Shouldn't be a problem then...right? > Do not trust input from the user (unless obtained through a secure means). Does that mean, do not trust a server (which is user input after all) and his certificate and supplied chain of CA certificates? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
