On Fri, 14 Jun 2002, Robert Mathews wrote:
applications. Sourcefire founder Martin Roesch and other experts say that the problem is being investigated by tech firms, private researchers, and government agencies. The National Infrastructure Protection Board's Debbie Weierman notes that her agency has been collaborating with experts from the NSA, the Federal Computer Incident Response Center, CERT, private groups, and others since March to see how widespread the ASN.1 flaw is. Microsoft, Lucent, and Oracle are among the private-sector companies that have investigated or are investigating how their products may be affected
I'm certain the best people are working on this, but once again Steve Bellovin scooped them all nearly a decade ago. In the early 1990's myself and several other people were developing the Z39.50 Information Retrieval protocol, including Bob Waldstein from Bell Labs. Like many other ISO/OSI protocols, Z39.50 used ASN.1 as the protocol description language. At first all of us tried using the existing ASN.1 tools, commercial and public domain. We found problems with essentially all of the available ASN.1 compilers and libraries in the 1990's. In 1992 we didn't think of calling it a security flaw, we just called it bad code. We needed to pass the Z39.50/ASN.1 protocol through Bellovin's fancy firewalls (see his book) which created an interesting conflict. Firewalls should be very simple devices, and ASN.1 can be complex. Despite Bellovin's misgivings, we got Z39.50/ASN.1 through his firewalls. Imagine if the US Government's GOSIP procurement policy had worked in in the 1980's. Instead of a few protocols like SNMP and Z39.50, every network protocol followed the OSI model and used ASN.1 for the session layer, presentation layer and application layer.