[api]

This is yet another illustration of why complexity is evil in cryptographic and security critical code. It's evil everywhere, but it's particularly evil there. The relationship between bugs and complexity is exponential, not linear.

X.509 is an over-engineered legacy-cruft-encrusted nightmare. I've implemented stuff that uses it and I never, even after the most careful auditing by myself and peers, leave with the sense that I have handled everything correctly or that my code is totally air-tight.

[rst]

The bug is being publicly described as specific to the implementation of a particular class of cryptographic primitives (ECC). If that's accurate, simplifying the certificate data format (unnecessarily messy though it may be) wouldn't do much to mitigate this particular issue.

[tptacek]

To the extent it's X.509 allowing curve parameters to be specified alongside signatures and public keys, this is indeed a case where all the extra joinery in X.509 is creating exploitable complexity, and the point 'api is making is well taken.