On Mon, Mar 28, 2016 at 8:58 PM, Mark Watson <watsonm@netflix.com> wrote: > Ryan, > > I understand (and understood when I wrote my mail). It remains the case > that the problem you refer to should be visible in the test suite. The test > suite should include tests for failure cases. If there is some sequence of > bytes where import succeeds in one implementation and fails in another, > then a test based on that byte sequence would illustrate the problem you > cite. > > So, I still think some specific examples / tests would help. > > ...Mark > Mark, I appreciate your call for test examples, but that seems to be ignoring the conversation being had, or the issues at hand. There are already ample examples of both cases that I've spelled out to Jim. What's at question here is not how to solve the one-off cases, but how to deal with the systemic design issue that has caused them in the first place. In either event, to resolve these cases, especially the 'things that shouldn't be good but are treated as good', will require that, much like JWK, implementations pre-process the ASN.1 in the implementation-side before handing off to the cryptographic library. In order to keep ASN.1 viable as a format, we need agreement from implementors to do that - without that, we cannot achieve interoperability, full-stop, regardless of examples.
Received on Tuesday, 29 March 2016 04:15:49 UTC