IETF Logo Mail Archive

Re: [apps-discuss] Kathleen Moriarty's Discuss on draft-ietf-appsawg-json-merge-patch-06: (with DISCUSS)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 21 August 2014 02:14 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD7321A6FF0; Wed, 20 Aug 2014 19:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJ_MzN4VOcpr; Wed, 20 Aug 2014 19:14:32 -0700 (PDT)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05A341A6FEF; Wed, 20 Aug 2014 19:14:31 -0700 (PDT)
Received: by mail-lb0-f179.google.com with SMTP id v6so7458716lbi.38 for <multiple recipients>; Wed, 20 Aug 2014 19:14:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=T8FqlHeJRzp23HtkWul73KAsc5Fr0UL6Ioa65SaJDdo=; b=iKF4zXrjI+oG6AfT5InGflpmtacaNlNv3/6krScNq6p0+RnRy1dlpJuj88I1NCrK6c EsKtSumKSZjpA4eQFPYjXWzws9nlbhZhMFAlaJjMWNXabkklMgF3tn4o/QTve52mODiO 6D3IR39ML57psi+ljTN5aqQW6Rj/vgSXWNcxHMegLp7K9ttjJa7Fw6cIfBDu0BeSFeej TOBG1djslLxFtKrODUwXjLheegchGjBB+3uucYjlJxUTZoK/9QxGMTZ+YKkVicS1lzCD 5ggQsVNaVy5HtX206gXJ/SODUT/bYogfcO7rqjyybeLSf3/6ecHea9aFUwx7VLd3M9W2 IfZw==
MIME-Version: 1.0
X-Received: by 10.112.33.74 with SMTP id p10mr43123745lbi.0.1408587270173; Wed, 20 Aug 2014 19:14:30 -0700 (PDT)
Received: by 10.112.64.170 with HTTP; Wed, 20 Aug 2014 19:14:30 -0700 (PDT)
In-Reply-To: <CABP7Rbe2a0myYSef=7qLhVr6BevTNM7HeESGdVeoUXp5dERRKg@mail.gmail.com>
References: <20140818205813.25342.9189.idtracker@ietfa.amsl.com> <5E1CE9A7-7425-4C77-9871-3B71A1CF4CC9@vpnc.org> <CAHbuEH6gGqF4s=ttFxmyGEz8veOn87nDfjwLOh-ZmzZoPPjfdA@mail.gmail.com> <4F7A88C1-52AA-4F5A-8D56-722911C9C187@vpnc.org> <CABP7Rbe2a0myYSef=7qLhVr6BevTNM7HeESGdVeoUXp5dERRKg@mail.gmail.com>
Date: Wed, 20 Aug 2014 22:14:30 -0400
Message-ID: <CAHbuEH7e2GYgVbgJME0G=OwCPn8aB1L1=Vn2GxKd1J_0oLbxNA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: James M Snell <jasnell@gmail.com>
Content-Type: multipart/alternative; boundary="14dae94734a3dfb9c805011a47b5"
Archived-At: http://mailarchive.ietf.org/arch/msg/apps-discuss/eAYM0cKL2cjv_oDgAoupnIKnPjA
X-Mailman-Approved-At: Fri, 22 Aug 2014 12:31:21 -0700
Cc: draft-ietf-appsawg-json-merge-patch@tools.ietf.org, "appsawg-chairs@tools.ietf.org" <appsawg-chairs@tools.ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, Apps Discuss <apps-discuss@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [apps-discuss] Kathleen Moriarty's Discuss on draft-ietf-appsawg-json-merge-patch-06: (with DISCUSS)
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss/>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2014 02:14:35 -0000

On Wed, Aug 20, 2014 at 10:00 PM, James M Snell <jasnell@gmail.com> wrote:

>
> On Aug 20, 2014 6:50 PM, "Paul Hoffman" <paul.hoffman@vpnc.org> wrote:
> >
> [Snip]
>
> >
> > I'm not sure I can add those sentences in a useful fashion. With current
> delivery mechanisms (HTTP being the most common), MIME objects don't come
> with hashes for checking. So giving that advice would cause developers to
> look for something that they won't have, namely hashes of the MIME object
> they just got.
> >
>
> +1
>
> > I do hope you're not asking us to change the format to include an
> internal hash. That would require inventing JSON canonicalization (which
> the JOSE WG has flailed miserably on) and say "canonicalize, pick a hash
> function, hash, and add that to the patch object". The recipient would need
> to pull the hash out before processing the patch, canonicalize the result,
> and check the hash. This is conceptually possible but it seems onerous, and
> has not been done in any of the earlier patch formats that have been
> standardized in the IETF.
> >
>
> +1... Adding an internal hash would not work with this mechanism without
> taking a major step backwards. I do not see the value.
>
Not to worry, I wasn't asking for anything to be added other than text in
the security considerations for when it was possible, keying off of your
first response, "The document explicitly shows how to do this for any
MIME-aware transport. Some of those might come with hashes that the
recipient are expected to check, but most of the common ones today are
not."  Obviously, it would not be something required since it doesn't
always get delivered, but I don't see a reason to exclude mention of this
practice when it provides additional integrity checking when it is
available.

I guess I find it odd that this has not been done before, so I'm guessing
there has not been security issues yet that caused an update in practices?

Thanks.

> - James
>
> > --Paul Hoffman
> > _______________________________________________
> > apps-discuss mailing list
> > apps-discuss@ietf.org
> > https://www.ietf.org/mailman/listinfo/apps-discuss
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email