Hi - > From: "Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx> > To: "Randy Presuhn" <randy_presuhn@xxxxxxxxxxxxxx> > Cc: <ietf@xxxxxxxx> > Sent: Monday, June 05, 2006 4:09 PM > Subject: Re: Best practice for data encoding? ... > > I'm curious, too, about the claim that this has resulted in security > > problems. Could someone elaborate? > > > See http://www.cert.org/advisories/CA-2002-03.html ... I remember that exercise. I don't see it as convincing evidence that the use of ASN.1 was the cause of the problems some implementations had; I doubt that someone who had buffer overflow problems when processing a BER-encoded octet string (where the length is explicitly encoded) would have had any better results with XML or any other representation. Randy _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf