Also, blaming ASN.1 for a vulnerability in an unsafe, untyped program is basically victim blaming. Stop doing that, folks. C is the problem.
@bmastenbrook or we could switch to JOSE or protobufs or capnp or something else that isn't so error-prone
-
-
@bascule there are lots of good arguments for doing that. C turning any moderately complex program into a minefield is not one of them. -
@bmastenbrook at least in the case of something like protobufs or capnp, they'll generate the parser for you... -
@bascule I worked on a commercial tool like protobuf for many years, and I can say that C is a terrible code generation target too. -
@bmastenbrook exactly why it'd be nice to use a serialization format with codegen for many platforms -
@bascule sure, no argument there. I'd bet that a safe ASN.1 implementation is easier than convincing the world to drop X.509 though... -
@bmastenbrook JOSE seems to be gaining traction. We'll see if someone uses it to make a TLS-compatible certificate format -
@bascule Looking from an attacker's perspective, a JSON-based encoding implemented in C is very exciting indeed. :-)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.