Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Are you kidding? That's *insane*ly complex, compared to just having a single standard spelling.
XML dsig (at least libxml version) is crazy slow, too.
TLS renegotiation vulnerability
Posted Nov 22, 2009 17:01 UTC (Sun) by Cyberax (✭ supporter ✭, #52523)
The trick in doing XML dsig is to output XML directly in a canonical format, then you can have a pretty fast implementation.
It's still slower than uber-optimized ASN.1 parsers, but personally, I don't care even if it's 10x slower.
Posted Nov 23, 2009 0:17 UTC (Mon) by foom (subscriber, #14868)
That's a bit silly. Have you ever looked at ASN.1? It's really quite trivial. So much easier than XML,
it's hard to imagine why anyone would want to use an XML parser instead in security sensitive
Certificates actually use DER, which is a slightly restricted subset of BER:
Posted Nov 23, 2009 8:26 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
To be fair, XML canonicalization rules are designed for arbitrary XML. It's possible to simplify them by using a subset of XML. For example, by restricting entities, CDATA and namespace use.
In any case, less complex formats like JSON can be used instead of XML.
Posted Nov 23, 2009 13:50 UTC (Mon) by quotemstr (subscriber, #45331)
wherever ASN.1 goes, destruction and pain follows. Examples: LDAP, SNMP, SSL/TLS, Kerberos.
Posted Nov 23, 2009 15:49 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
I can easily do this for HTTP/FTP/SMTP even IMAP. I don't even want to contemplate this for SSL/TLS.
That's the problem, it's impossible to create a simple client for SSL.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds