undefined | Better HN

0 pointsmcpherrinm10mo ago0 comments

I'd take ASN.1/DER over JWS any day :) It's the weekend and I don't feel I have the energy to launch a full roast of JWS, but to give some flavour, I'll link

https://auth0.com/blog/critical-vulnerabilities-in-json-web-...

Implementations can be written securely, but it's too easy to make mistakes.

Yeah, there's worse stuff from the 90s around, but JOSE and ACME is newer than that - we could have done better!

Alas, it's not changing now.

I think ASN.1 has some warts, but I think a lot of the problems with DER are actually in creaky old tools. People seem way happier with Protobuf, for example: I think that's largely down to tooling.

0 comments

cryptonector10mo ago

The whole not validating the signatures thing is a problem, yes. That can happen with PKI certificates too, but those have been around longer and -perhaps because one needed an ASN.1 stack- only people with more experience wrote PKI stacks than we see in the case of JWS?

I think Protocol Buffers is a disaster. Its syntax is worse than ASN.1 because you're required to write in tags, and it is a TLV encoding very similar to DER so... why _why_ does PB exist? Don't tell me it's because there were no ASN.1 tools around -- there were no PB tools around either!

j / k navigate · click thread line to collapse