I think David's reply nailed what the WG should do:
1. recommend minimizing the code associated with parsing untrusted data.
(like https://www.w3.org/TR/webauthn-3/#clientdatajson-serialization )
2. recommend verifying data before parsing it whenever possible.
The rest is just context that was
Hi Carsten,
Thank you for your reply. Comments are in line.
On 15. Oct 2023, at 18:10, Denis wrote:
Hi Brian and Orie,
In the "old days", such problem did not existed. The prime example is using
ASN.1 / DER where the decoder can first know the full size of the message
using two or more