[
Lists Home |
Date Index |
Thread Index
]
I am not dismissing it. I was saying, let's not play
Spy Vs Spy.
The problem with the argument is lack of details or facts.
I don't know that ASN.1 itself is something that is too
complex to implement securely, or that XML is so simple
that it is more likely to be implemented securely. One
can speculate in either direction. I am interested if
ASN.1 is inherently flawed with respect to security and
I am inclined to doubt it. The OpenSSL programmers
made mistakes for sure. But so what? I am asking if,
as in the billion laughs problems with XML, there are
features of ASN.1 guaranteed to cause security problems.
There isn't enough history with web services and the
coding skills of the web service programmers yet to
be significant. I note that the security
specifications have been a long time coming.
len
-----Original Message-----
From: Tyler Close [mailto:tyler@waterken.com]
On Friday 03 October 2003 11:48, Bullard, Claude L (Len) wrote:
> Ok. What precisely about ASN.1 poses security
> problems beyond the implementation? I'm surprised
> to hear that. ASN.1 has been around for a long
> time.
I am not making a remark about problems beyond the implementation.
I am only pointing out that the implementation itself has proved
problematic, even in a coding culture that is highly attuned to
security issues.
If we dismiss this data point as the result of 'sloppy
programming', then who among us is not 'sloppy'? Do we think web
services hackers are typically more competent than the OpenSSL
hackers?
|
