Re: [Cbor] Tag validity: embedded MIME vs. embedded CBOR
Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 03 July 2019 05:04 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7D5120191 for <cbor@ietfa.amsl.com>; Tue, 2 Jul 2019 22:04:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzvGc1jJ3JEh for <cbor@ietfa.amsl.com>; Tue, 2 Jul 2019 22:04:16 -0700 (PDT)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 423B612018D for <cbor@ietf.org>; Tue, 2 Jul 2019 22:04:16 -0700 (PDT)
Received: by mail-pl1-x634.google.com with SMTP id a93so525792pla.7 for <cbor@ietf.org>; Tue, 02 Jul 2019 22:04:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:cc:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=diwKwGg84u8onNKi4P/F4YwUTKg+ccrU4H+IzTKGy+8=; b=elrIAZBIn/k1aEpi0TmKJk0RMAyOZzaQFrggM6vuiyeFyndo1wfgTiDWKddCx+OCTs idYZu1hE7yL1u/FkfiZ+sfg3/ovpF8KPYl4cpngaWm4r2/WFhWNLlFuldyE99yLoVT99 5orHaR/jg4ivj+jnFo+r71pN7A5Gn+Mbrdc/qGBJx+MxM2GMlFo7SHrB1ZRzJ3cBz7LT wDCzSJP2XMgDMVqNwtOwPOho5A8HmHbiq8aR7PCb1Z+eb8mYIjGP4qDpRanRnf3luz09 LG+tZH0TTYvqjlMxD6O9LZzjvwcE/AJx31sXKqokw0Lj2A9f0C8LqX5BMveYqnvcKD6B WJNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:cc:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=diwKwGg84u8onNKi4P/F4YwUTKg+ccrU4H+IzTKGy+8=; b=Q2Jy/mvgfpV/1Xpfg5KGFWyHYiJe3hAV0XrFlzyQhfMTFSA9mFrPOBszX2lNFi1kJK JnX4wlSWK0ZkMrucM/1pXt1Va8sxRWvuKEmCShWnhrmL5dqfftto8OBMHsqiNJmLH0DT pFBa7em4nEliQER5H2YTK2LcQviRx0b44ZE9BTjp25AWsUVFTEnhT67zeif1WupSLuPz jGZ/p2JrLf2iGHos4k8tai3kMlAR4uWR+A5ySPndjb/y4woLjSCE9E/TxOfRVEFCM1Ta crXtG8VHgv4AFC6hMVJQqv2JG7jrG1fTXMXLDwW8wPEKe1dadZ6+nFP1x9XcW6L0A6W6 jiqw==
X-Gm-Message-State: APjAAAW9GNuGFsH7U/kXiy0hwY0Nonx3TMCxvCLw4pMzO19nM4nju22n DA0RdF+MOJnnDafAF23ga6/Us40l
X-Google-Smtp-Source: APXvYqyD281MlOX+oDDIFCW3o4GxjNxRiSFR0Lm4xHBU+iKnttnoVchuKdBeVi91vSLMu9Rj2/7Hqg==
X-Received: by 2002:a17:902:ac88:: with SMTP id h8mr40149239plr.12.1562130255596; Tue, 02 Jul 2019 22:04:15 -0700 (PDT)
Received: from [192.168.178.30] (32.23.255.123.dynamic.snap.net.nz. [123.255.23.32]) by smtp.gmail.com with ESMTPSA id z20sm1098888pfk.72.2019.07.02.22.04.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Jul 2019 22:04:14 -0700 (PDT)
To: Carsten Bormann <cabo@tzi.org>
References: <4247F407-1047-4220-9289-584D7A68DFB5@tzi.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: cbor@ietf.org
Message-ID: <ccbb6a0f-9966-3b8f-1bcd-97626481c8c8@gmail.com>
Date: Wed, 03 Jul 2019 17:04:11 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <4247F407-1047-4220-9289-584D7A68DFB5@tzi.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/DKxndsAVfOGI4p-7ZADIGjtlufs>
Subject: Re: [Cbor] Tag validity: embedded MIME vs. embedded CBOR
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 05:04:18 -0000
On 03-Jul-19 16:24, Carsten Bormann wrote:
> In 7049bis -06, there are several embedded formats that can be tagged.
> Quoting:
>
> * Tag 36 is for MIME messages (including all headers), as defined in
> {{RFC2045}}. A text string that isn't a valid MIME message is
> invalid.
>
> […]
>
> Tag 24 (CBOR data item) can be used to tag the
> embedded byte string as a data item encoded in CBOR format. Contained
> items that aren't byte strings are invalid. Any contained byte string
> is valid, even if it encodes an invalid or ill-formed CBOR item.
>
> What is our position on embedded formats? Why is MIME validity-checked and CBOR not? I would expect a consistent answer here, one that also can guide new tag definitions.
However, Tag 24 is always going to be a slightly special case, isn't it? A CBOR implementation is surely able to check whether the embedded CBOR is valid. But a validator for some other embedded format may not even be available in a particular implementation.
> Given that Tag validity checking is optional in a generic decoder (which we still need to properly write up; currently only the security considerations are clear about that), we can be a bit strict on the definition of validity here: I’m leaning towards making CBOR well-formedness (or validity?) a prerequisite of tag 24 validity.
Looking at the code I wrote for Tag 24 encoded values in GRASP objectives, I see that I effectively enforced that rule at the encoding stage, to avoid the risk of an exception at the decoding stage. So I think I agree with you.
Brian
>
> (Now https://github.com/cbor-wg/CBORbis/issues/86 .)
>
> Grüße, Carsten
>
> _______________________________________________
> CBOR mailing list
> CBOR@ietf.org
> https://www.ietf.org/mailman/listinfo/cbor
>
- [Cbor] Tag validity: embedded MIME vs. embedded C… Carsten Bormann
- Re: [Cbor] Tag validity: embedded MIME vs. embedd… Brian E Carpenter