On Sun, Mar 22, 2015 at 2:56 PM, Phillip Hallam-Baker
People keep telling me that canonicalization is necessary for
security. In 25 years I have never once heard someone give a use case
where it did.
Okay, sure I can fix that problem for you, here is a recent example;
look at OpenSSL CVE CVE-2014-8275
A CA has signed an intermediate CA cert which is loaded in an
interception appliance. You blacklist this certificate by ID. Your
blacklisting is bypassed by simply changing the encoding of the when
sending the cert chain and now your traffic can be intercepted again.
(This isn't unique, but a recent example; if you're still thinking
that you've still not had once usecase where it did I'd be glad to
spend more time convincing you off-list)
openpgp mailing list