OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors

[ Lists Home | Date Index | Thread Index ]

> I am asking if, 
> as in the billion laughs problems with XML, there are 
> features of ASN.1 guaranteed to cause security problems.

ASN.1, itself, is just a data declaration language, like an IDL.  More 
probably, you have to look at the specific encoding rules to see the 
wire format (serialization) to see if that's architecturally broken.
ASN1 is like the infoset, and DER, BER, PER, XER (encoding rules) are 
like XML 1.0.  BER can be useful for optimizing in homogeneous 
environments (e.g., it lets you pick the byte-order for integers).  In 
the security environment (PKI, certs, etc), you use DER because there's 
only one way to encode and you need that for hashing; PER we just heard 
about, it's compact; XER is writing ASN.1 as XML.
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS