[
Lists Home |
Date Index |
Thread Index
]
On Fri, 2003-10-03 at 11:53, Tyler Close wrote:
> If we dismiss this data point as the result of 'sloppy
> programming', then who among us is not 'sloppy'? Do we think web
> services hackers are typically more competent than the OpenSSL
> hackers?
>
> Tyler
First, I'm totally ASN clueless.
However, following this thread, and remembering Tim Bray's longstanding
complaints about the quality of the ASN.1 data he sees, and the
functionality of the tools he can find to process it, my feeling would
be to take a look at ASN.1 itself. And not particularly look for
security problems, but difficulty of implementation, and possibly of
understanding.
If a spec is hard to implement, surely it's hard to implement securely.
Certainly that applies if it's hard to understand.
If it is hard to implement, what is gained by the tradeoff?
Frank Richards
|
