[
Lists Home |
Date Index |
Thread Index
]
> I am asking if,
> as in the billion laughs problems with XML, there are
> features of ASN.1 guaranteed to cause security problems.
ASN.1, itself, is just a data declaration language, like an IDL. More
probably, you have to look at the specific encoding rules to see the
wire format (serialization) to see if that's architecturally broken.
ASN1 is like the infoset, and DER, BER, PER, XER (encoding rules) are
like XML 1.0. BER can be useful for optimizing in homogeneous
environments (e.g., it lets you pick the byte-order for integers). In
the security environment (PKI, certs, etc), you use DER because there's
only one way to encode and you need that for hashing; PER we just heard
about, it's compact; XER is writing ASN.1 as XML.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|