Bug 1669618 Comment 3 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

(In reply to certification_authority from comment #2)
>     2. We have a set of OCSP lints and test cases for testing our OCSP software and they did not detect the issue. As part of our investigation, we determined that a library we use for ASN.1 decode operations is too lenient to ensure RFC compliance with respect to certain ASN.1 module syntax (e.g., SEQUENCE size limits).

Can you share more details about what library you're using?

I wasn't sure if this was something in-house using the SecAsn1 framework (or its spiritual replacements), an open-source library like [asn1c](https://github.com/vlm/asn1c), a commercial library like [OSS's compiler](https://www.oss.com/asn1/products/asn1-products.html), or a language integration like [Golang](https://golang.org/pkg/encoding/asn1/).

Any one of these, or any details, could significantly help other CAs avoid similar issues.
(In reply to certification_authority from comment #2)
>  2. We have a set of OCSP lints and test cases for testing our OCSP software and they did not detect the issue. As part of our investigation, we determined that a library we use for ASN.1 decode operations is too lenient to ensure RFC compliance with respect to certain ASN.1 module syntax (e.g., SEQUENCE size limits).

Can you share more details about what library you're using?

I wasn't sure if this was something in-house using the SecAsn1 framework (or its spiritual replacements), an open-source library like [asn1c](https://github.com/vlm/asn1c), a commercial library like [OSS's compiler](https://www.oss.com/asn1/products/asn1-products.html), or a language integration like [Golang](https://golang.org/pkg/encoding/asn1/).

Any one of these, or any details, could significantly help other CAs avoid similar issues.

Back to Bug 1669618 Comment 3