IETF Logo Mail Archive

Re: [TLS] TLS grammar checker?

Nico Williams <nico@cryptonector.com> Tue, 18 June 2013 22:50 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9648F21E808B for <tls@ietfa.amsl.com>; Tue, 18 Jun 2013 15:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.967
X-Spam-Level:
X-Spam-Status: No, score=-1.967 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0wmBFsCPP4F for <tls@ietfa.amsl.com>; Tue, 18 Jun 2013 15:50:02 -0700 (PDT)
Received: from homiemail-a85.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by ietfa.amsl.com (Postfix) with ESMTP id 7EA9111E810D for <tls@ietf.org>; Tue, 18 Jun 2013 15:50:02 -0700 (PDT)
Received: from homiemail-a85.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a85.g.dreamhost.com (Postfix) with ESMTP id A9A6BBC034 for <tls@ietf.org>; Tue, 18 Jun 2013 15:50:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=pJWSx4tXtif/vQEautT2 pWWF8Mw=; b=kscCULpOlOSPsCHyteH5B5tk26GuEzJt2i+IdkF44YO8+yHap/oH k4nt1x9O7tdRMhPT0cM9TeCKQo54MEOOg7+u+wCp5MlCpzGaEphDODb+fu3kLex/ X3F/1fgh+VQXCGdzQpKAiEwfB85u3zqyqG6q61uqCTbKV60c2+ZzmyQ=
Received: from mail-wg0-f53.google.com (mail-wg0-f53.google.com [74.125.82.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a85.g.dreamhost.com (Postfix) with ESMTPSA id 53C12BC032 for <tls@ietf.org>; Tue, 18 Jun 2013 15:50:01 -0700 (PDT)
Received: by mail-wg0-f53.google.com with SMTP id y10so4003084wgg.20 for <tls@ietf.org>; Tue, 18 Jun 2013 15:49:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WvXosQM6SHHfTT/xzemtXGvXUf3SSAMLv/ZdC9DygEc=; b=jvKZM4KHUYkzuDS4/IiP4HJKayE8cFrWUIBMNhA7JchS0w0nJyJPdJd2PTFQDqNmPI vhx6zb5Uml6/9ayfc4LeA5xJ1SYDumYKz4Y5cOdKwaXBJ7soNlKO4wfSM5N3oYgKQpYH IakeC6ZbhPKtmdvsjZGrzaXy8y4A5kDhEtarWk6kYJEcJtbMhDsUxf5P1tMXzauyxyC8 4kPn9DoRH6+F1fWfZ8/zZu1nlJhC83bYNxceW4kUQDwCjelpbbTJ7tx+NwRSb3uMBfdm jZVvxxKZYvKPOr/tem22om5qSkKiiIPPYr513KadMGjHnsMO4SFatnjXIzGla9tl7QPs fyGw==
MIME-Version: 1.0
X-Received: by 10.181.12.1 with SMTP id em1mr9111533wid.4.1371595799719; Tue, 18 Jun 2013 15:49:59 -0700 (PDT)
Received: by 10.216.29.5 with HTTP; Tue, 18 Jun 2013 15:49:59 -0700 (PDT)
In-Reply-To: <r422Ps-1075i-41C9ABE15E3C4284891C37A3920A0713@Williams-MacBook-Pro.local>
References: <CAK3OfOgL=C0QOFM=SBU4rZm2_pnZkrBEoP8GzfjfO6eQtfULyw@mail.gmail.com> <r422Ps-1075i-41C9ABE15E3C4284891C37A3920A0713@Williams-MacBook-Pro.local>
Date: Tue, 18 Jun 2013 17:49:59 -0500
Message-ID: <CAK3OfOgX6ZLPFqK3yNKA2Lw1=mvM0jpEv=KPaH55ERyHryqBZQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Bill Frantz <frantz@pwpconsult.com>
Content-Type: text/plain; charset="UTF-8"
Cc: tls@ietf.org
Subject: Re: [TLS] TLS grammar checker?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2013 22:50:08 -0000

On Tue, Jun 18, 2013 at 5:20 PM, Bill Frantz <frantz@pwpconsult.com> wrote:
> On 6/18/13 at 10:36 AM, nico@cryptonector.com (Nico Williams) wrote:
>
>> This would make it possible to use ASN.1 for
>> specifying JSON schemas too, but no one who doesn't already have to
>> use ASN.1 wants to use ASN.1, though I myself like ASN.1 -- I only
>> hate its TLV encodings.
>
>
> Given the history of serious security problems due to ASN.1 parser bugs, I
> would feel better with a simpler format. (And yes, I'm one of the people who
> developed an allergy to ASN.1 through use.)

This tells me that you don't understand what you're talking about,
that your reaction is knee-jerk.

ASN.1 is just a syntax.  The security bugs have been in decoders of
some encoding rules of ASN.1, like BER.

And there have been security vulnerabilities in *many* encodings not
related to ASN.1, such as XDR, NDR, and others.  The problem is not
exclusive to TLV (tag-length-value) encoding rules of ASN.1 (like BER)
nor to ASN.1 encoding rules.  It's generic.

The syntax itself is fine as far as security goes.  It's not terribly
easy to parse (so that's one reason not to use it), that's about the
only significant problem with the *syntax*.

I'd go further and recommend the use of a syntax and encoding rules
for which there is suitable tooling available as this allows for more
formality in specifications, and fixing of bugs by fixing
encoder/decoder libraries, increasing code reuse, ...

Nico
--

v2.29.0 | Report a Bug | By Email | System Status