IETF Logo Mail Archive

Re: [Cbor] Handling duplicate map keys

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 25 November 2019 23:57 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74E2B120CDB for <cbor@ietfa.amsl.com>; Mon, 25 Nov 2019 15:57:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.484
X-Spam-Level: **
X-Spam-Status: No, score=2.484 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tNKl2NbT3ZAa for <cbor@ietfa.amsl.com>; Mon, 25 Nov 2019 15:57:24 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 602C6120FC8 for <cbor@ietf.org>; Mon, 25 Nov 2019 15:57:24 -0800 (PST)
Received: from dooku.sandelman.ca (unknown [194.42.227.53]) by relay.sandelman.ca (Postfix) with ESMTPS id CB60B1F480 for <cbor@ietf.org>; Mon, 25 Nov 2019 23:57:21 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 055311376; Mon, 25 Nov 2019 16:02:30 +0800 (+08)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: cbor@ietf.org
In-reply-to: <F81E1A57-6072-44FA-A148-8F3ED7520791@island-resort.com>
References: <CANh-dX=EVDa4EwrgWKof4kCD3nkfV3BvH0Cg5ZKOivmXJ_Dm8g@mail.gmail.com> <E5C74E1F-A5F4-4AB8-9787-3999C4697C3B@island-resort.com> <CANh-dX=1gkAtfSG-yzCsVAkk=oLM-=dN_JLCr1kQK3d6Jb0fSw@mail.gmail.com> <F81E1A57-6072-44FA-A148-8F3ED7520791@island-resort.com>
Comments: In-reply-to Laurence Lundblade <lgl@island-resort.com> message dated "Sat, 23 Nov 2019 07:21:49 -0800."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Mon, 25 Nov 2019 09:02:30 +0100
Message-ID: <32467.1574668950@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/WJODOQCTEjixqcX7RbBIROt6Hng>
Subject: Re: [Cbor] Handling duplicate map keys
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2019 23:57:25 -0000

Laurence Lundblade <lgl@island-resort.com> wrote:
    > My intention was that “pass all items up” covers your case.

python, ruby, lua, java, etc. dictionaries can not "pass all items up"
The reason why JSON is so successful is because it maps into native
dictionaries (maps) trivially.

In order to pass things up, a different structure will be necessary,
at which point many developers and protocol designers will see no value in
CBOR over a bespoke binary encoding.

It is this refusal to define a specific algorithm for dealing with duplicates
that is leading to security issues.  It's not the duplicates themselves that
is the problem, it is the ambiguity.

I am less afraid to declare an answer and make some decoders non-compliant.
I think that they will get fixed.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email