[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: Fwd: [e-lang] Protocol implementation errors
I am not dismissing it. I was saying, let's not play Spy Vs Spy. The problem with the argument is lack of details or facts. I don't know that ASN.1 itself is something that is too complex to implement securely, or that XML is so simple that it is more likely to be implemented securely. One can speculate in either direction. I am interested if ASN.1 is inherently flawed with respect to security and I am inclined to doubt it. The OpenSSL programmers made mistakes for sure. But so what? I am asking if, as in the billion laughs problems with XML, there are features of ASN.1 guaranteed to cause security problems. There isn't enough history with web services and the coding skills of the web service programmers yet to be significant. I note that the security specifications have been a long time coming. len -----Original Message----- From: Tyler Close [mailto:tyler@w...] On Friday 03 October 2003 11:48, Bullard, Claude L (Len) wrote: > Ok. What precisely about ASN.1 poses security > problems beyond the implementation? I'm surprised > to hear that. ASN.1 has been around for a long > time. I am not making a remark about problems beyond the implementation. I am only pointing out that the implementation itself has proved problematic, even in a coding culture that is highly attuned to security issues. If we dismiss this data point as the result of 'sloppy programming', then who among us is not 'sloppy'? Do we think web services hackers are typically more competent than the OpenSSL hackers?
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|