OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   RE: [xml-dev] Fwd: [e-lang] Protocol implementation errors

[ Lists Home | Date Index | Thread Index ]

I am not dismissing it.  I was saying, let's not play 
Spy Vs Spy. 

The problem with the argument is lack of details or facts. 
I don't know that ASN.1 itself is something that is too 
complex to implement securely, or that XML is so simple 
that it is more likely to be implemented securely.  One 
can speculate in either direction.  I am interested if 
ASN.1 is inherently flawed with respect to security and 
I am inclined to doubt it.   The OpenSSL programmers 
made mistakes for sure.  But so what?  I am asking if, 
as in the billion laughs problems with XML, there are 
features of ASN.1 guaranteed to cause security problems.

There isn't enough history with web services and the 
coding skills of the web service programmers yet to 
be significant.  I note that the security 
specifications have been a long time coming.


-----Original Message-----
From: Tyler Close [mailto:tyler@waterken.com]

On Friday 03 October 2003 11:48, Bullard, Claude L (Len) wrote:
> Ok.  What precisely about ASN.1 poses security
> problems beyond the implementation?  I'm surprised
> to hear that.  ASN.1 has been around for a long
> time.

I am not making a remark about problems beyond the implementation.
I am only pointing out that the implementation itself has proved
problematic, even in a coding culture that is highly attuned to
security issues.

If we dismiss this data point as the result of 'sloppy
programming', then who among us is not 'sloppy'? Do we think web
services hackers are typically more competent than the OpenSSL


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS