[Cbor] Tag validity: embedded MIME vs. embedded CBOR

Carsten Bormann <cabo@tzi.org> Wed, 03 July 2019 04:24 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E667E12014B for <cbor@ietfa.amsl.com>; Tue, 2 Jul 2019 21:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKJyOPZkHOnX for <cbor@ietfa.amsl.com>; Tue, 2 Jul 2019 21:24:20 -0700 (PDT)
Received: from smtp.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7605120044 for <cbor@ietf.org>; Tue, 2 Jul 2019 21:24:20 -0700 (PDT)
Received: from [192.168.217.110] (p5089AF7E.dip0.t-ipconnect.de [80.137.175.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.uni-bremen.de (Postfix) with ESMTPSA id 45dp0L3tHSzyWG; Wed, 3 Jul 2019 06:24:18 +0200 (CEST)
From: Carsten Bormann <cabo@tzi.org>
Content-Type: text/plain; charset=utf-8
X-Mao-Original-Outgoing-Id: 583820655.872244-2854ab8bf5934f4238684cf6c5adb565
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 3 Jul 2019 06:24:17 +0200
Message-Id: <4247F407-1047-4220-9289-584D7A68DFB5@tzi.org>
To: cbor@ietf.org
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/PsmUU9GmjFY7ChdD7uQYqkTk2zs>
Subject: [Cbor] Tag validity: embedded MIME vs. embedded CBOR
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 04:24:23 -0000

In 7049bis -06, there are several embedded formats that can be tagged.
Quoting:

* Tag 36 is for MIME messages (including all headers), as defined in
  {{RFC2045}}. A text string that isn't a valid MIME message is
  invalid.

[…]

Tag 24 (CBOR data item) can be used to tag the
embedded byte string as a data item encoded in CBOR format.  Contained
items that aren't byte strings are invalid.  Any contained byte string
is valid, even if it encodes an invalid or ill-formed CBOR item.

What is our position on embedded formats?  Why is MIME validity-checked and CBOR not?  I would expect a consistent answer here, one that also can guide new tag definitions.

Given that Tag validity checking is optional in a generic decoder (which we still need to properly write up; currently only the security considerations are clear about that), we can be a bit strict on the definition of validity here:  I’m leaning towards making CBOR well-formedness (or validity?) a prerequisite of tag 24 validity.

(Now https://github.com/cbor-wg/CBORbis/issues/86 .)

Grüße, Carsten