Again, you are right, but what's the lesser evil - being unable to use the new OpenSSL because it refuses to deal with the cert that some dim-witten TPM maker screwed up, or accept a certificate with a (minor) violation of DER (but not of BER)? What bad in your opinion could happen if OpenSSL allowed parsing an integer with a leading zero byte (when it shouldn't be there by DER)?
Even in crypto (and that's the area I've been working in for quite a while) there are some shades of gray, not only black and white. P.S. My platform of choice is Mac, and Apple does not put TPM there - so I won't gain from this decision, whichever way it turns. ;-) Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Kurt Roeckx Sent: Thursday, February 11, 2016 18:03 To: [email protected] Reply To: [email protected] Cc: Stephen Henson via RT; [email protected] Subject: Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format On Thu, Feb 11, 2016 at 10:53:25PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > Might I suggest that the right thing in this case would be to keep generation > strict, but relax the rules on parsing? "Be conservative in what you send, > and liberal with what you receive"? This might be good advice for some things, but ussually not when it comes to crypto. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301 Please log in as guest with password guest if prompted
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
