"James A. Donald" <[EMAIL PROTECTED]> writes: >In any program subject to attack, all strings should have known, documented, >and enforced maximum length, a length large enough for all likely legitimate >uses, and no larger.
Precisely. An example of where dynamic strings can lead you is what happens to old (very old) versions of Netscape when you feed them a cert with, say, an MPEG of a cat in the X.500 DN. Netscape happily accepts the cert but you then have to reinstall the browser because while it'll quite readily accept ridiculously long values it doesn't actually cope with them very well. A security component that's trivially taken out by a DoS isn't a security component, it's a vulnerability. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]