[
Lists Home |
Date Index |
Thread Index
]
Rich Salz wrote:
>
> > I am asking if,
> > as in the billion laughs problems with XML, there are
> > features of ASN.1 guaranteed to cause security problems.
>
> ASN.1, itself, is just a data declaration language, like an
> IDL. More
> probably, you have to look at the specific encoding rules to see the
> wire format (serialization) to see if that's architecturally
> broken.
The SNMP vulnerability issue exploded early last year. After over 18 months
of close scrutiny, no one has been able to report any architectural flaw in
either the ASN.1 notation or any of the standard encoding rules, which might
have increased the risk of program misbehavior. The standards are innocent.
Alessandro
> ASN1 is like the infoset, and DER, BER, PER, XER
> (encoding rules) are
> like XML 1.0. BER can be useful for optimizing in homogeneous
> environments (e.g., it lets you pick the byte-order for
> integers). In
> the security environment (PKI, certs, etc), you use DER
> because there's
> only one way to encode and you need that for hashing; PER we
> just heard
> about, it's compact; XER is writing ASN.1 as XML.
> /r$
> --
> Rich Salz, Chief Security Architect
> DataPower Technology
> http://www.datapower.com
> XS40 XML Security Gateway
> http://www.datapower.com/products/xs40.html
> XML Security Overview
> http://www.datapower.com/xmldev/xmlsecurity.ht> ml
>
>
>
>
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org
> <http://www.xml.org>, an initiative of OASIS
<http://www.oasis-open.org>
The list archives are at http://lists.xml.org/archives/xml-dev/
To subscribe or unsubscribe from this list use the subscription
manager: <http://lists.xml.org/ob/adm.pl>
|
