[Cryptography] Is ASN.1 still the thing?

[Peter Gutmann]

John-Mark Gurney <jmg at funkthat.com> writes:

>I really hope that's not the case, because if it doesn't fully parse all the
>leading data, you are now open to a packet-in-packet style attack.

Given that it doesn't parse or verify *anything at all*, you're open to every
kind of attack there is.  I don't know why you'd bother with a packet-in-
packet attack, since anything will work.

(Note that in at least some of these cases, there's no attack possible since
the public key is hardcoded.  The spec says you have to have a PKI so you have
a PKI, even when it makes no sense.  It's only when you try and verify some of
the certs and find that not only don't they verify but they're barely valid as
certs do you realise it's all just theatre).

Peter.