Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
The trick in doing XML dsig is to output XML directly in a canonical format, then you can have a pretty fast implementation.
It's still slower than uber-optimized ASN.1 parsers, but personally, I don't care even if it's 10x slower.
TLS renegotiation vulnerability
Posted Nov 23, 2009 0:17 UTC (Mon) by foom (subscriber, #14868)
That's a bit silly. Have you ever looked at ASN.1? It's really quite trivial. So much easier than XML,
it's hard to imagine why anyone would want to use an XML parser instead in security sensitive
Certificates actually use DER, which is a slightly restricted subset of BER:
Posted Nov 23, 2009 8:26 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
To be fair, XML canonicalization rules are designed for arbitrary XML. It's possible to simplify them by using a subset of XML. For example, by restricting entities, CDATA and namespace use.
In any case, less complex formats like JSON can be used instead of XML.
Posted Nov 23, 2009 13:50 UTC (Mon) by quotemstr (subscriber, #45331)
wherever ASN.1 goes, destruction and pain follows. Examples: LDAP, SNMP, SSL/TLS, Kerberos.
Posted Nov 23, 2009 15:49 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
I can easily do this for HTTP/FTP/SMTP even IMAP. I don't even want to contemplate this for SSL/TLS.
That's the problem, it's impossible to create a simple client for SSL.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds