Re: [Cbor] Tag validity: embedded MIME vs. embedded CBOR

Brian E Carpenter <> Wed, 03 July 2019 05:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A7D5120191 for <>; Tue, 2 Jul 2019 22:04:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KzvGc1jJ3JEh for <>; Tue, 2 Jul 2019 22:04:16 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 423B612018D for <>; Tue, 2 Jul 2019 22:04:16 -0700 (PDT)
Received: by with SMTP id a93so525792pla.7 for <>; Tue, 02 Jul 2019 22:04:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:references:from:cc:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=diwKwGg84u8onNKi4P/F4YwUTKg+ccrU4H+IzTKGy+8=; b=elrIAZBIn/k1aEpi0TmKJk0RMAyOZzaQFrggM6vuiyeFyndo1wfgTiDWKddCx+OCTs idYZu1hE7yL1u/FkfiZ+sfg3/ovpF8KPYl4cpngaWm4r2/WFhWNLlFuldyE99yLoVT99 5orHaR/jg4ivj+jnFo+r71pN7A5Gn+Mbrdc/qGBJx+MxM2GMlFo7SHrB1ZRzJ3cBz7LT wDCzSJP2XMgDMVqNwtOwPOho5A8HmHbiq8aR7PCb1Z+eb8mYIjGP4qDpRanRnf3luz09 LG+tZH0TTYvqjlMxD6O9LZzjvwcE/AJx31sXKqokw0Lj2A9f0C8LqX5BMveYqnvcKD6B WJNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:cc:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=diwKwGg84u8onNKi4P/F4YwUTKg+ccrU4H+IzTKGy+8=; b=Q2Jy/mvgfpV/1Xpfg5KGFWyHYiJe3hAV0XrFlzyQhfMTFSA9mFrPOBszX2lNFi1kJK JnX4wlSWK0ZkMrucM/1pXt1Va8sxRWvuKEmCShWnhrmL5dqfftto8OBMHsqiNJmLH0DT pFBa7em4nEliQER5H2YTK2LcQviRx0b44ZE9BTjp25AWsUVFTEnhT67zeif1WupSLuPz jGZ/p2JrLf2iGHos4k8tai3kMlAR4uWR+A5ySPndjb/y4woLjSCE9E/TxOfRVEFCM1Ta crXtG8VHgv4AFC6hMVJQqv2JG7jrG1fTXMXLDwW8wPEKe1dadZ6+nFP1x9XcW6L0A6W6 jiqw==
X-Gm-Message-State: APjAAAW9GNuGFsH7U/kXiy0hwY0Nonx3TMCxvCLw4pMzO19nM4nju22n DA0RdF+MOJnnDafAF23ga6/Us40l
X-Google-Smtp-Source: APXvYqyD281MlOX+oDDIFCW3o4GxjNxRiSFR0Lm4xHBU+iKnttnoVchuKdBeVi91vSLMu9Rj2/7Hqg==
X-Received: by 2002:a17:902:ac88:: with SMTP id h8mr40149239plr.12.1562130255596; Tue, 02 Jul 2019 22:04:15 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id z20sm1098888pfk.72.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Jul 2019 22:04:14 -0700 (PDT)
To: Carsten Bormann <>
References: <>
From: Brian E Carpenter <>
Message-ID: <>
Date: Wed, 3 Jul 2019 17:04:11 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Cbor] Tag validity: embedded MIME vs. embedded CBOR
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Jul 2019 05:04:18 -0000

On 03-Jul-19 16:24, Carsten Bormann wrote:
> In 7049bis -06, there are several embedded formats that can be tagged.
> Quoting:
> * Tag 36 is for MIME messages (including all headers), as defined in
>   {{RFC2045}}. A text string that isn't a valid MIME message is
>   invalid.
> […]
> Tag 24 (CBOR data item) can be used to tag the
> embedded byte string as a data item encoded in CBOR format.  Contained
> items that aren't byte strings are invalid.  Any contained byte string
> is valid, even if it encodes an invalid or ill-formed CBOR item.
> What is our position on embedded formats?  Why is MIME validity-checked and CBOR not?  I would expect a consistent answer here, one that also can guide new tag definitions.

However, Tag 24 is always going to be a slightly special case, isn't it? A CBOR implementation is surely able to check whether the embedded CBOR is valid. But a validator for some other embedded format may not even be available in a particular implementation.

> Given that Tag validity checking is optional in a generic decoder (which we still need to properly write up; currently only the security considerations are clear about that), we can be a bit strict on the definition of validity here:  I’m leaning towards making CBOR well-formedness (or validity?) a prerequisite of tag 24 validity.

Looking at the code I wrote for Tag 24 encoded values in GRASP objectives, I see that I effectively enforced that rule at the encoding stage, to avoid the risk of an exception at the decoding stage. So I think I agree with you.


> (Now .)
> Grüße, Carsten
> _______________________________________________
> CBOR mailing list