RE: Request verification failure

Wed, 23 Jun 1999 17:33:56 -0700 

I don't think there will ever be a 'correct' solution. As time goes on
it appears that more and more attributes will be added to certificates
with a diminishing probability of correctness. (Those adding the
attributes can claim they received them in bad order.)

The only appropriate behaviour is to regard signed objects as blobs.
(Format the strictest, parse the loosest.)

Ron.

> -----Original Message-----
> From: Ben Laurie [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, June 23, 1999 6:57 PM
> To:   [EMAIL PROTECTED]
> Subject:      Re: Request verification failure
> 
> Holger Reif wrote:
> > 
> > Dr Stephen Henson schrieb:
> > >
> > > Hmmm. A similar could happen with the PKCS#7 and certificate
> routines:
> > > some PKCS#7 implementations don't correctly sort authenticated
> > > attributes and some certificates are filled with horrible stuff
> like
> > > indefinite length encoding. The usual workaround is to verify the
> > > signature on the original data or order rather than a re-encoded
> version
> > > of it: this is done in a few places already.
> > 
> > This discussion has a long history. There has been a
> > discussion with eric on this behalf long ago. But
> > AFAIR Eric was not convinced to make signature
> > verification on the original data. Perhaps he
> > believed that eventually the correct solution (tm)
> > only will survive ;-)
> 
> I agree with Eric, though an ability to enable buggy behaviour is also
> acceptable.
> 
> Cheers,
> 
> Ben.
> 
> --
> http://www.apache-ssl.org/ben.html
> 
> "My grandfather once told me that there are two kinds of people: those
> who work and those who take the credit. He told me to try to be in the
> first group; there was less competition there."
>      - Indira Gandhi
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to