[19299] in cryptography@c2.net mail archive
Re: crypto for the average programmer
daemon@ATHENA.MIT.EDU (Bill Stewart)
Sun Dec 18 10:43:58 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 17 Dec 2005 22:05:29 -0800
To: cryptography@metzdowd.com
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <20051214233429.GA8452@slack.lne.com>
At 03:34 PM 12/14/2005, ericm@lne.com wrote:
>An application programmer who is using PKCS1 doesn't even need to
>know the small amount of ASN.1 in the spec... libraries that
>implement RSA PKCS1 take care of the ASN.1 for the programmer.
This is in fact one reason that ASN.1 exploits
have been so wide-ranging when they've happened.
ASN.1 is a horrendously ugly mess, even uglier than PGP,
so almost everybody uses an existing library instead of
rolling their own or writing a new library for other users.
Major bugs aren't discovered often,
but everybody's pretty much using the same C code,
whether for SNMP or X.509 or whatever.
I don't know how many of the Java et al. versions
have rewritten it natively as opposed to importing
C libraries, which is probably more convenient.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
