~98% of the ASN.1 parsing bugs could have been prevented by generating the parser instead of handwriting yet another recursive descent parser "with a few clever optimisations".
Reminds me of all the Trotskyists who say Communism has never been discredited because no true Communist regime ever existed, only forms of State Capitalism. Why oh why has no actual ASN.1 parser ever hewed to the self-evident Platonic ideal of machine-generated purity?
The question around this is whether vulnerabilities show up because the technology is bad or because it’s widely used, triggers interest by researchers, and a certain amount of any implementations will have their set of issues.
