Holger Reif wrote:
>
> Dr Stephen Henson schrieb:
> >
> > Hmmm. A similar could happen with the PKCS#7 and certificate routines:
> > some PKCS#7 implementations don't correctly sort authenticated
> > attributes and some certificates are filled with horrible stuff like
> > indefinite length encoding. The usual workaround is to verify the
> > signature on the original data or order rather than a re-encoded version
> > of it: this is done in a few places already.
>
> This discussion has a long history. There has been a
> discussion with eric on this behalf long ago. But
> AFAIR Eric was not convinced to make signature
> verification on the original data. Perhaps he
> believed that eventually the correct solution (tm)
> only will survive ;-)
I agree with Eric, though an ability to enable buggy behaviour is also
acceptable.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
