[Cbor] Do we care about array-tags issue 6, clamped-uint8 arrays?
Jeffrey Yasskin <jyasskin@google.com> Wed, 24 July 2019 20:01 UTC
Return-Path: <jyasskin@google.com>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC7B12051B for <cbor@ietfa.amsl.com>; Wed, 24 Jul 2019 13:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4eJTUrfe1Hr for <cbor@ietfa.amsl.com>; Wed, 24 Jul 2019 13:01:48 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 631B01204DC for <cbor@ietf.org>; Wed, 24 Jul 2019 13:01:48 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id r9so45685471ljg.5 for <cbor@ietf.org>; Wed, 24 Jul 2019 13:01:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=BvPDtmn+dmUCqj4YrNhp6Zye8+NjpwcxNSvu3mG562I=; b=UviXlB8FyTo3CI2cl9jWhze2OIcby81HDMec1I5tqC0F4y0uTbhyHqkpMu447oayBb /DVMlMZUZhcxQSp3CbuA35ucWMlkxVmzJsF9/YkZ0Gvx3dyHfO1AaNMb+D8rE2cg0Hz1 /DQLYN2Ds5Gjn+U1HuWzZyZyF0U/wd25YJQjMDqyGTIEBBYDVpPcbv1zcl7RAqRpf3Ny hIukF66dnWoobpTQsk9m6Z2gF7cH69hZsW3rSsaQWZStUalkpbbZa+x6CgG4fGiHKcq/ dUWlT+uYo+1tdnavQoZCErbZ8LBMGAvZbqErMM/5YFoiqpPc4PWlTNDLKjWNYOrz/iK7 yGSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=BvPDtmn+dmUCqj4YrNhp6Zye8+NjpwcxNSvu3mG562I=; b=hSQQZq59n+JVUuLRRc2xD2jBrocunrgLDJr7Lx9HyVd/GATta9L/GM+bykW2cFYkIa NCtGiRMYk8ZFeIuFZTPjp3brlCAlmaZgna8/XGHXZsZ5t/v5GyJ7TpmqDuOdQGz2xhQf wy5mMBMY9VAWHckWcONA3D/m6m1kWLmafNiStuPLEPM3JDy2vYTXBl+hfXtYa4DI3/GP gcKpHaQ2jFoZErAYCe/oFsbYgM0LkcC93lhJpOqaIYfIDFHIusRwebX6l7Lvyv+xJpfl EkhA759My3jCCFlPaEwf9PNzVL0CgWpRYNI9O09+sxmJSbJemAoIhuwBX+osIMVUNzau q9xQ==
X-Gm-Message-State: APjAAAVtCYXYuS4wPHgBenJROK3IbD1bs2IEfMOh7V/QwjAXDQWzTKRI Z//y87xvzMFXTHTMh5v3z/2R1pvIKNjy+Qx4LKs/x4ROgOhQVA==
X-Google-Smtp-Source: APXvYqwg46Thcwemqy7kns7SHauBQK1OvGUxIPTjIUKeADVyMQjKW4gYqWzzVxtLkx26K6rOaMmoKryJyxxekkeu+Zw=
X-Received: by 2002:a2e:7c14:: with SMTP id x20mr18682174ljc.56.1563998505989; Wed, 24 Jul 2019 13:01:45 -0700 (PDT)
MIME-Version: 1.0
From: Jeffrey Yasskin <jyasskin@google.com>
Date: Wed, 24 Jul 2019 16:01:35 -0400
Message-ID: <CANh-dXkkSJUOcHcBj1JRO20ULFVNNbu1GQU-j7bR7N-FCTt3HA@mail.gmail.com>
To: cbor@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/gyr8z9KpQke6R5B83AAf1t0iulo>
Subject: [Cbor] Do we care about array-tags issue 6, clamped-uint8 arrays?
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 20:01:51 -0000
In https://github.com/cbor-wg/array-tags/issues/6 I complained that tag 68, marking clamped-uint8 data, is weird, in that clamped-ness is a property of further processing rather than the data encoded in CBOR. I worried that we might introduce security issues by allowing a potentially-malicious sender to decide how the recipient processes the received data. More abstractly, I believe this is the only tag in the document that extends the CBOR generic data model. I don't think the current text adequately describes when a recipient should create a Uint8ClampedArray from potentially-untrusted input data. But I 1) didn't object during the last call and 2) don't think this is a big enough issue to try to hold up the process if other folks think it's fine. So, how do other folks feel about the marker for clamped uint8 arrays? Thanks, Jeffrey
- [Cbor] Do we care about array-tags issue 6, clamp… Jeffrey Yasskin
- Re: [Cbor] Do we care about array-tags issue 6, c… Carsten Bormann
- Re: [Cbor] Do we care about array-tags issue 6, c… Jeffrey Yasskin
- Re: [Cbor] Do we care about array-tags issue 6, c… Sean Leonard
- Re: [Cbor] Do we care about array-tags issue 6, c… Carsten Bormann
- Re: [Cbor] Do we care about array-tags issue 6, c… Sean Leonard
- Re: [Cbor] Do we care about array-tags issue 6, c… Jeffrey Yasskin
- Re: [Cbor] Do we care about array-tags issue 6, c… Carsten Bormann
- Re: [Cbor] Do we care about array-tags issue 6, c… Jim Schaad
- Re: [Cbor] Do we care about array-tags issue 6, c… Sean Solberg