On 09/20/2008 02:45 AM, Julien R Pierre - Sun Microsystems: > > We took care of such issues in our ASN.1 parsing years ago. It was a > large effort and many problems were found, and resolved in NSS 3.9, in > 2004. Currently, we run test cases of millions of malformed certs from > NISCC against every nightly build of NSS, FYI, to make sure that the > code in that area doesn't regress. I'm not saying there are no remaining > bugs - some may be found eventually - but we take the code in our ASN.1 > decoders/encoder very seriously.
Julien, can we assume that by trying to construct a valid chain up to a trusted root - even by fetching intermediate CAs via the AIA CA Issuer extension - doesn't present a risk we can not take? During this discussion I've found that only a very minimal privacy concern exists - if at all. I'd very much like to see the arguments against the implementation of fetching intermediate CA certificates declared null and void. At least to the extend which would allow us for such an implementation. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
