OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors

[ Lists Home | Date Index | Thread Index ]

> After over 18 months
> of close scrutiny, no one has been able to report any architectural flaw in
> either the ASN.1 notation or any of the standard encoding rules, which might
> have increased the risk of program misbehavior.  The standards are innocent.

That's a pretty broad claim to make, and I'm not so sure I'd go along 
with that.  I could imagine playing some interesting games with 
indefinite-form length (or tag) values that get something "interesting" 
to happen because they cause wrap-around or (for lengths) make the 
system consume gobs of memory, hang in a network read waiting for the 
infinite data that will never come, etc.  Did the scrutinizers think of 
those things?

In my experience, fixing "too long" errors for XML parsers has to happen 
  in only one place.  Fixing them for ASN.1/[BDP]ER parsers requires 
fixing it every time you nest a structure or list.
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS