I'm not sure it directly does anything to improve resistance to
monitoring or active man-in-the-middle attacks, but it seems like
security properties of some protocols could be improved by better
separation of code from data, making data formats that are finite, can
be validated, and don't embed a Turning-complete programming language
interpreter.
An implementation that doesn't depend on artifacts from all over the net
is good too.
A HTTP client that doesn't embed JavaScript or DOM is potentially more
secure, though more limited in scope. (DNS and TCP can still be attacked.)
Groups like OpenID connect seem to be engaged in reinventing SAML in
JSON, I'm less concerned about JSON as such, as the likelihood it will
be run in web browser's JavaScript/DOM environments.
XML is not without warts: external entities and the difficulty of
validating XML signatures come to mind.
I don't know ASN.1 well enough to comment on its issues...
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
