From nobody Tue Aug 11 12:14:46 2020 Return-Path: X-Original-To: cbor@ietfa.amsl.com Delivered-To: cbor@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A93B53A09B8; Tue, 11 Aug 2020 12:14:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.525 X-Spam-Level: X-Spam-Status: No, score=-0.525 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MALFORMED_FREEMAIL=1.573, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQHJO8e2k6XC; Tue, 11 Aug 2020 12:14:43 -0700 (PDT) Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 463463A08B9; Tue, 11 Aug 2020 12:14:43 -0700 (PDT) Received: by mail-wr1-x429.google.com with SMTP id z18so12494516wrm.12; Tue, 11 Aug 2020 12:14:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=FHCW0B6tNxV3sMDbqtqd1CpBIpQUPnBYH2zwF02eVO8=; b=ofnvDpdgnaGhZfJ7K89cLO5+xxu1ZiQuyX7+70vOmdAizmJg2OsX9jWCFCCS0z0HLW 5Q5Rk2+TK0Rev3WwAQGLlsk5BmXqqyJPeh0XZzZScOb3lWkCxLQjbBnO/oMh0h7hKsxP zLyNA4sRtLH5OYFEPBEXiwY920zF37WarDBQ+2ctfkc1/Ukv9yULQrAz1/WMV7BePO9+ Uyfj/l8833m+ySGO8KFanCzEDComR6y0TJU8wiFwoW2NTZofmXNQ1xMRj5Xn7nRtFVVy 7P0l3GI1oMmNsLl/kvUXa1Qi2nqFlcpwWf7gXmGRFhSUV3UPkjgoKWNcsVKy1fHQihHE x6jA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=FHCW0B6tNxV3sMDbqtqd1CpBIpQUPnBYH2zwF02eVO8=; b=uUnceyi6vDMtc84Am7RnEhl/IlTrghm7efoMZtiyCPzZHpCazhlXOkyk5x4f6TlRnC QTymK7uBpSzd0Kxgso9lyubtvaVXj0o3aIfYHwKmgpqCD6xJcziDlrxm2SLB92HoK0bu nqZaFv5+4TbbjpuxOhN1YKaS4xAlA+5k1XxZV3V1ttR+cBtUclUrPCErb104SZ8YVYys 2iuwAM2+BmFxQlJ+1iSjR8Zdpxg/4a9jhCWOHNDOg5CkX3eZ4zOFF24cCoN2yL9wKjFa 3Y962I6VI5xAki3r7bw3/geiG30x2qcnrIjG19qALRb2Y481ctcgHj6WrKCIZIIwNlPm bCfg== X-Gm-Message-State: AOAM5339OAldFLeBygTmeILZq4pXM5tM+61Hs0gT86MdHfryUE4q9Fik t9t6ImBNq7lyUR7y8RLL+Oo= X-Google-Smtp-Source: ABdhPJxe/jFFV+V2LN0r9rcZN4+LDD/p8Oi9OEIOPZoHkIWZXoFZWATrbiVEJuEbK7+kYfaSKY/fpA== X-Received: by 2002:adf:fac8:: with SMTP id a8mr30810494wrs.368.1597173281626; Tue, 11 Aug 2020 12:14:41 -0700 (PDT) Received: from [172.26.49.35] (pub-corp-42-8.intuit.com. [91.102.42.8]) by smtp.gmail.com with ESMTPSA id o125sm6998874wma.27.2020.08.11.12.14.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Aug 2020 12:14:41 -0700 (PDT) User-Agent: Microsoft-MacOutlook/16.39.20071300 Date: Tue, 11 Aug 2020 22:14:39 +0300 From: Yaron Sheffer To: Carsten Bormann CC: Laurence Lundblade , , , , Message-ID: Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-cbor-7049bis-14 References: <159705005508.2366.4819563096010229406@ietfa.amsl.com> <6A1090D8-D012-4A04-BC4A-9CF23E791DA2@tzi.org> In-Reply-To: <6A1090D8-D012-4A04-BC4A-9CF23E791DA2@tzi.org> Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Archived-At: Subject: Re: [Cbor] [Last-Call] Secdir last call review of draft-ietf-cbor-7049bis-14 X-BeenThere: cbor@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Concise Binary Object Representation \(CBOR\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2020 19:14:45 -0000 >=20 > I understand that, but realistically, without a list of (potential) v= alidity checks in the RFC, there will be wide variance in what is documented= by decoders =E2=80=93 if any. In fact I checked a few implementations just now, a= nd most of them do not document what validity checks they perform. Those tha= t document something are hard to compare. If you make a canonical list, peop= le would have a starting point. To be fair, you probably checked RFC 7049 implementations, and RFC 7049= didn=E2=80=99t have such a requirement (improving the discussion of validity was = one of the major work items in 7049bis, see Appendix G.3). One point to keep in mind is that, with CBOR, most validity processing = happens in the processing of tags, and that is an extension point. So a lis= t in 7049bis will never be complete. Even if it only covers base CBOR and t= he tags registered in 7049/7049bis, a detailed version is likely to be tedio= us and highly dependent of specific implementation approaches. Trying to imagine the outcome of this exercise, my visual image right n= ow is a PICS Proforma, so I think I=E2=80=99ll better stop here... Gr=C3=BC=C3=9Fe, Carsten Hi Carsten, You are addressing this issue from the point of view of a spec writer, I su= ggest you take the POV of the implementer, the user of a decoder. Those peop= le are not CBOR experts, and when faced with free-form and probably terse do= cumentation of a decoder's validity checking would never know what they need= to consider to add as application-level checking. I realize that tags are an extension point, but if we are to avoid decoding= -related vulnerabilities, I suggest you list validity checks for the base CB= OR and tags in RFC7049+bis. Thanks, Yaron