-----BEGIN PGP SIGNED MESSAGE-----
I will first state that ASN.1 without the encoding rules is useless
for building practical interoperable protocols, thus implementors like
me tend to lump ASN.1 with BER and DER as a single unit.
It's probably fine for designing abstract protocols, but you can't get
anything done with an abstract protocol -- you need to move bits on
the wire.
I can't agree that defining concrete structure (in a high level
design) is correct; one really wants to define an abstract syntax,
which ASN.1 does well.
If one wants performance, scalability, and robustness, one must
understand both the relative and the absolute cost of the operations
and messages inside your system.
You don't need to know the exact final bit-level encoding of your
message formats when you do your high-level design -- but you
absolutely need to know the order of magnitude of the size of each
message.. whether it is 10, 100, 1000, or 100,000 bytes -- before you
can develop the right strategy of how & when to communicate, when,
what, and how to cache, and so forth. An abstract notation like ASN.1
makes it very hard to do this because it hides the size of the objects
in question.
As for the experience of ASN.1 in Kerberos V5:
An ASN.1 compiler *was* used (the compiler from ISODE) in MIT's
reference implementation. Interoperability problems began when I
replaced ISODE with the MAVROS ASN.1 compiler in the kerberos
implementation inside OSF/DCE. Initially, MAVROS got the date formats
and some other minor details wrong. I fixed this myself, made things
interoperate, and then moved on to other things.
Later on, the interface to tell the encoder to use DER instead of BER
was changed out from under us in the pre-release crunch. The old way
to turn on DER turned into a no-op. We didn't notice at the time, or
for some time thereafter, and multiple vendors had shipped products we
had to maintain backwards compatibilty with before we discovered the
problem, and we *couldn't* fix it.
Ted has said that the biggest mistake in the implementation of
kerberos v5 was using ASN.1/DER. The biggest mistake in the OSF/DCE
port of kerberos v5 was in not using ISODE.
I guess I'll have to say that, judging by the number of poor ASN.1
compilers I've tripped over, ASN.1 is far too easy to implement
poorly. The lack of a standard way to map between ASN.1 structures
and programming-language in-memory representations is part of the
problem, as are the multiple non-interoperable encoding rules.
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
iQCVAwUBMGIWjLT+rHlVUGpxAQG0VQP+PUihTbhxvwyh8IHy8qVTrdwRdWJhDKV2
iDmQ3l0MhVIRWEPfmYO725mOY3gQ4m58JBx5WXyKSo4Z4ifcuZXbSYIUFELPClRV
DE9ERfxlL8ZOg5Oay4dTQuG9JeqtK7dX52na5di3EEwm8+IB2CPL5Urs3djWXscf
wvBn0wXJBrc=
=Buht
-----END PGP SIGNATURE-----