DER ≠ ASN.1. I've written a handful of BER/DER encoders and decoders without coming near implementing ASN.1. DER is a decent TLV format.
-
-
Also, IIUC, attestation certificate can be (arguably, should be) < 256 bytes but not < 127 bytes, i.e. 0x30 0x81 <length byte> is allowed.
-
Yes, I don't know enough about the variety of certs actually seen here. I'm oversimplifying, unaware of general context.
-
If most certs are >= 256 bytes, probably safer for CA to always pad certs to >= 256 bytes, in case someone hard-coded 0x30 0x82 <len> <len>.
-
By my math, a P-256 cert signed with P-256 ECDSA is 235 bytes before you put in subject, issuer, serial number, or extensions.
-
Unless I'm missing context, I'd be surprised to see one under 256 bytes in the wild.
-
Here's one that I think may be valid & reasonable that's 251 bytes: https://goo.gl/L2yCos . But usually there will be at least 1 extn.
End of conversation
New conversation -
-
-
I'm not sure if I understand the threat model here, so I am not sure what's possible if the cert isn't valid DER (including valid non-D BER)
-
There's no problem as long as you parse it correctly. I have low confidence that everybody will parse it correctly, that's all.
-
Yes, I think that's a tautology.
-
Apparently not! https://github.com/openssl/openssl/pull/4385 … :) /cc
@davidben__ -
Did you misspell "Apparently so!"?
End of conversation
New conversation -
-
-
@equalsJeffH, is this something we should report against the CTAP spec? -
My impression is that https://w3c.github.io/webauthn/#fido-u2f-attestation … encodes the certificate as a CBOR byte array, which is length-prefixed, so maybe ! a problem?
-
what
@jyasskin points to is what is obtained over CTAP2, IIUC. what@BRIAN_____ refers to is i think a CTAP1 aka orig U2F spec issue, IIUC -
...where CTAP2 is what is defined (but not named as such, sigh) in this *draft* spec: https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.