[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ASN.1 and Kerberos version 5


Perry E. Metzger writes:
>I've heard people associated with the decision to use ASN.1 in
>Kerberos V say it was a mistake. Frankly, I think ASN.1 is a blight
>which should be exterminated from the planet.

I'll say it. I was the person who pushed for the use of ASN.1 in Kerberos
version 5. I had this disease at the time that made me think that ASN.1 was
a good idea. I got better, unfortunately we have been living with the
results of my braino for quite some time now... poor Ted.

However, the problem with ASN.1 isn't its waste of space (which actually
isn't that bad for a mechanism for encoding arbitrary objects). The problem
is that it is the product of a standards making process that didn't (and
doesn't) value interoperability. Adherence to the ISO specifications does
not guarantee interoperation. Instead regional "workshops" negotiate
aspects of implementations to obtain interoperation.

What does this mean for ASN.1? It means that the definition of ASN.1 is a
bit abstract (as its name implies). Problems result when two organizations
(say MIT and OSF!) attempt to implement from the specification in ASN.1 but
use different ASN.1 compilers and things then don't work. Arguments then
ensue about whose compiler (or manually written parsing code) is "correct"
in terms of doing the right thing with ASN.1. This is particularly so when
using DER (for Distinquished Encoding Rules) which is itself an
after-thought added to ASN.1 later in the process. It is required in order
to verify digital signatures (which have to be computed on the "encoded"
form of an object because there is no good way to calculate a signature on
an "abstract" object).

If the Kerberos specification said: "pub this byte here and that one there"
none of these arguments and problems would happen.


Version: 2.6.2