• To: "Bullard, Claude L (Len)" <clbullar@i...>
• Subject: Re: Fwd: [e-lang] Protocol implementation errors
• From: Rich Salz <rsalz@d...>
• Date: Fri, 03 Oct 2003 13:58:44 -0400
• Cc: 'Tyler Close' <tyler@w...>, xml-dev@l...
• In-reply-to: <15725CF6AFE2F34DB8A5B4770B7334EE03F9ED55@h...>
• References: <15725CF6AFE2F34DB8A5B4770B7334EE03F9ED55@h...>
• User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030507

> I am asking if, 
> as in the billion laughs problems with XML, there are 
> features of ASN.1 guaranteed to cause security problems.

ASN.1, itself, is just a data declaration language, like an IDL.  More 
probably, you have to look at the specific encoding rules to see the 
wire format (serialization) to see if that's architecturally broken.
ASN1 is like the infoset, and DER, BER, PER, XER (encoding rules) are 
like XML 1.0.  BER can be useful for optimizing in homogeneous 
environments (e.g., it lets you pick the byte-order for integers).  In 
the security environment (PKI, certs, etc), you use DER because there's 
only one way to encode and you need that for hashing; PER we just heard 
about, it's compact; XER is writing ASN.1 as XML.
	/r$
-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

• Follow-Ups:
  • RE: Fwd: [e-lang] Protocol implementation errors
    • From: "Alessandro Triglia" <sandro@m...>

• References:
  • RE: Fwd: [e-lang] Protocol implementation errors
    • From: "Bullard, Claude L (Len)" <clbullar@i...>

• Prev by Date: RE: Fwd: [e-lang] Protocol implementation errors
• Next by Date: Re: Fwd: [e-lang] Protocol implementation errors
• Previous by thread: RE: Fwd: [e-lang] Protocol implementation errors
• Next by thread: RE: Fwd: [e-lang] Protocol implementation errors
• Index(es):
  • Date
  • Thread