> And I don't expect that that everything is correct now. As long as we > don't have a clear security issue here, we should not add extra > constraints on DER or even BER parsing.
I went ahead and produced a proof-of-concept exploit for some important downstream software using the acceptance of non-canonical DER ECDSA encodings. Now, I believe this conversation should be transitioned to [email protected]. I will follow up there with specifics in the coming days. Thanks, Jake https://jakegines.in On Thu, Jan 15, 2026 at 9:27 AM Werner Koch <[email protected]> wrote: > On Wed, 14 Jan 2026 17:30, Jake Ginesin said: > > > understanding that non-malleability in DER parsing is important for X.509 > > certificate validation [1,2] and preventing transaction malleability [3]. > > The first paper is on formal verifification of parsers and I don't see a > practical application here. In particuilar because ASN.1 has in the > real world never be used as it was designed for. It is used for data > format description and that does work okayish. The encoding was anyway > an afterthought and there are limitations when using DER as an encoding: > For example you can only use definite lengths for signed data which in > turn forbids the use of standard tools based stream processing. > > > Also, I went ahead and publicized my proof-of-concept for the first point > > in this thread's initial email. [4] > > Which is the reason that DER encoded signatures are not used in this > simplified way. > > > Salam-Shalom, > > Werner > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein >
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
