IETF Logo Mail Archive

Re: [dispatch] draft-goessner-dispatch-jsonpath-00.txt

Carsten Bormann <cabo@tzi.org> Wed, 15 July 2020 18:56 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 759B13A0E87 for <dispatch@ietfa.amsl.com>; Wed, 15 Jul 2020 11:56:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FLRhfFv3hicC for <dispatch@ietfa.amsl.com>; Wed, 15 Jul 2020 11:56:40 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ED2D3A0E79 for <dispatch@ietf.org>; Wed, 15 Jul 2020 11:56:40 -0700 (PDT)
Received: from [192.168.217.116] (p5089ae91.dip0.t-ipconnect.de [80.137.174.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4B6RSQ4z7ZzyVk; Wed, 15 Jul 2020 20:56:38 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CADU7aovozOiayeDV8PVduAZQsoBuZYbPxOSFpxU2S0JvyhcgVg@mail.gmail.com>
Date: Wed, 15 Jul 2020 20:56:38 +0200
Cc: Brian Rosen <br@brianrosen.net>, Martin Thomson <mt@lowentropy.net>, dispatch@ietf.org
X-Mao-Original-Outgoing-Id: 616532197.887617-cd2480fd3bea6634c01ce09dcead3894
Content-Transfer-Encoding: quoted-printable
Message-Id: <8108D98C-7627-4A3E-A7A8-7183F8A1EA71@tzi.org>
References: <159467093010.19477.7181341398452455173@ietfa.amsl.com> <77B617C1-2148-4AE6-8428-DAD43D01FBC5@tzi.org> <d2ab505d-bc99-482d-a8e5-694f67ce932b@www.fastmail.com> <1C9B201D-7DB6-4A8D-8750-475981DB5863@brianrosen.net> <CADU7aovozOiayeDV8PVduAZQsoBuZYbPxOSFpxU2S0JvyhcgVg@mail.gmail.com>
To: Kévin Dunglas <kevin@dunglas.fr>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/zqxcV7PwQDZqWtroxVT6ZUScayA>
Subject: Re: [dispatch] draft-goessner-dispatch-jsonpath-00.txt
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 18:56:43 -0000

On 2020-07-15, at 15:35, Kévin Dunglas <kevin@dunglas.fr> wrote:
> 
> However we have voluntarily decided to not recommend JSONPath and to not implement it in the reference implementation because of the security considerations already pointed out by Martin and because it would allow (as GraphQL) a bad client to run easily very complex queries (which may be a DOS/DDOS attack vector).

Security considerations are an important point in the definition of JSONPath.
Instead of other formats adopting varying subsets of JSONPath that they happen to deem secure, I think it would be better to have a “secure” profile of JSONPath.
Note that this isn’t XPath (which is Turing equivalent…).

Grüße, Carsten

v2.23.0 | Report a Bug | By Email