Bill,
On 3/28/14 at 11:47 AM, [email protected] (Erwann Abalea) wrote:
I don't see the problem with ASN.1.
IMHO, the problem with ASN.1 is that it is too complex. There exists a
history of attacks on computer security by sending malformed ASN.1
irritating bugs in ASN.1 encoders. In addition, the ability to specify
"infinite" length data has caused buffer overruns.
ASN.1 fans my say that these bugs have all been fixed, and they may be
right if no new ASN.1 interpreters are written.
However, complexity is always a bad thing in a security protocol. Make
it only as complex as necessary, and no more complex.
Cheers - Bill
I agree that ASN.1 is complex, and if this were a new protocol, not tied
to any existing
ASN.1-based data structures, I would not select ASN.1 as a starting
point. But since we're
talking about data from a TBS cert,since the generators of the data are
CAs (who should
know how to process ASN.1), and since the consumers of the data are
browsers who already
process certs, it seems reasonable to stick with ASN.1.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
