Re: JSON headers - No: CBOR headers
"Poul-Henning Kamp" <phk@phk.freebsd.dk> Tue, 12 July 2016 08:27 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00A3612D75B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 12 Jul 2016 01:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.208
X-Spam-Level:
X-Spam-Status: No, score=-8.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8mOjPXn1gOw2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 12 Jul 2016 01:27:05 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72B3412D755 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 12 Jul 2016 01:27:05 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bMsxf-0000HD-3d for ietf-http-wg-dist@listhub.w3.org; Tue, 12 Jul 2016 08:22:35 +0000
Resent-Date: Tue, 12 Jul 2016 08:22:35 +0000
Resent-Message-Id: <E1bMsxf-0000HD-3d@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <phk@phk.freebsd.dk>) id 1bMsxb-0000GI-Ex for ietf-http-wg@listhub.w3.org; Tue, 12 Jul 2016 08:22:31 +0000
Received: from phk.freebsd.dk ([130.225.244.222]) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <phk@phk.freebsd.dk>) id 1bMsxZ-00088P-A9 for ietf-http-wg@w3.org; Tue, 12 Jul 2016 08:22:30 +0000
Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 02BFE273CF; Tue, 12 Jul 2016 08:22:05 +0000 (UTC)
Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTP id u6C8M3vN012802; Tue, 12 Jul 2016 08:22:04 GMT (envelope-from phk@phk.freebsd.dk)
To: Julian Reschke <julian.reschke@gmx.de>
cc: Carsten Bormann <cabo@tzi.org>, Willy Tarreau <w@1wt.eu>, Yanick Rochon <yanick.rochon@gmail.com>, Phil Hunt <phil.hunt@oracle.com>, HTTP Working Group <ietf-http-wg@w3.org>
In-reply-to: <928f8531-6573-caf6-50c1-1672cc020959@gmx.de>
From: Poul-Henning Kamp <phk@phk.freebsd.dk>
References: <8251.1468229350@critter.freebsd.dk> <e9a55629-656c-3b6a-3ac4-5fb7a109b2f0@gmx.de> <8739.1468234635@critter.freebsd.dk> <38b3e7bb-3202-f489-ff15-d4d545e13ca0@gmx.de> <8854.1468236033@critter.freebsd.dk> <326f0b93-dbd5-3dfb-2a35-d1bf084684b4@gmx.de> <9221.1468245597@critter.freebsd.dk> <aa9cee9c-d8e3-17ba-9fcd-e327575cd5a8@gmx.de> <9801.1468259070@critter.freebsd.dk> <15d27f23-6b51-1e8e-3f10-194c80570424@gmx.de> <20160711190107.GB9542@1wt.eu> <0e467573-4f68-80a5-14a4-5a63b41ac4d4@gmx.de> <57841F4A.30901@tzi.org> <57e2c1b6-749f-c697-5c92-15eeb44b303b@gmx.de> <57849130.4060104@tzi.org> <928f8531-6573-caf6-50c1-1672cc020959@gmx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <12800.1468311723.1@critter.freebsd.dk>
Content-Transfer-Encoding: quoted-printable
Date: Tue, 12 Jul 2016 08:22:03 +0000
Message-ID: <12801.1468311723@critter.freebsd.dk>
Received-SPF: none client-ip=130.225.244.222; envelope-from=phk@phk.freebsd.dk; helo=phk.freebsd.dk
X-W3C-Hub-Spam-Status: No, score=-6.0
X-W3C-Hub-Spam-Report: AWL=-0.803, BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bMsxZ-00088P-A9 7e0484db2f7fa46a452f4dc528fe4b58
X-Original-To: ietf-http-wg@w3.org
Subject: Re: JSON headers - No: CBOR headers
Archived-At: <http://www.w3.org/mid/12801.1468311723@critter.freebsd.dk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31923
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
-------- In message <928f8531-6573-caf6-50c1-1672cc020959@gmx.de>, Julian Reschke writes : Tl;DR: I would prefer CBOR and base{64|85}(CBOR) to JSON >2) People abusing it to add comments to JSON (by choosing a member name >for comments, and repeating it). That is one of the places where I went "Doh?" when I first saw JSON, who the heck defines a data-interchange format with no support for comments ?! The answer, of course, is that JSON is not a data-interchange format, it is a subset of the JavaScript source code syntax, and they didn't include comments in that subset. JSON being "source compatible", has been correctly critized for being a wide open invitation for unsafe data-ingestion practices, with plenty of real world instances to validate the argument. We can take it as an absolutely certainty, that if we choose JSON serialization, too many people will just "eval" it into Javascript, opening them wide for malicius point-edits[1] and hostile actors. This is of course not our first priority for deciding, but it counts clearly against JSON. >> This discussion may be a bit off-topic for the HTTP WG, but I think it >> is important to understand JSON when using it in HTTP. > >Absolutely; and the conclusion might well be that we won't use JSON on >the wire. Carstens CBOR presentation from IETF94 is very good background here, and as a compentent data-interchange format CBOR (RFC7049) will get my vote over JSON any time. The problem with CBOR is that there does not seem to be a "CAOR" we can use with H1[2], but maybe that is a good thing. Eyeballing it, the size of base85(CBOR(obj)) or even base64(CBOR(obj)) seems to acceptably close to JSON. An implementation would use the same CBOR serdes code for both H1 and H2, with a trivial gloss of baseXX serdes on top for H1. I like that, in particular I like that it makes H1<-->H2 interop trivial, streamable, reliable and debuggable. Security-wise it is also preferable, because it forces everybody to use a proper serdes code[3], and it permantently closes the door to unsafe hacks such as 's/q=[0-9.]*/q=0/' CBOR gets my vote. Poul-Henning [1] My security friends would point to general principle, that one should avoid serializations which can be "point-edited" to change semantic content. (Text-book example: Computer printed cheques filling the amount field with non-space: "****1000$*".). Such "point-edited" HTTP headers are in widespread use in H1, for instance "nnoCection:" and similar hacks, but they are also used on the other side of the colon by smut-filters and "privacy controls", typically mangling Location:, (Set-)Cookie: and in some cases the URL. H2 and HPACK makes that shortcut a lot longer, but I very much suspect that these devices may retain their "application logic" and just deserialize, mangle and reserialize the headers. [2] CBOR does have a "Diagnostic Notation" which renders it to text, but it is not meant to be a data-interchange format, and as a debugging tool includes information that is surplus to (our) requirements. [3] At least until CBOR becomes valid syntax in INTERCAL. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
- Re: JSON headers Julian Reschke
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Julian Reschke
- Re: JSON headers Carsten Bormann
- Re: JSON headers Julian Reschke
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Martin J. Dürst
- Re: JSON headers Cory Benfield
- Re: JSON headers Julian Reschke
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Julian Reschke
- Re: JSON headers Andy Green
- Re: JSON headers Julian Reschke
- Re: JSON headers Mark Nottingham
- Re: JSON headers Andy Green
- Re: JSON headers Julian Reschke
- Re: JSON headers Julian Reschke
- Re: JSON headers Julian Reschke
- Re: JSON headers Julian Reschke
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Andy Green
- Re: JSON headers Martin J. Dürst
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Cory Benfield
- Re: JSON headers Julian Reschke
- Re: JSON headers Yanick Rochon
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Julian Reschke
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Julian Reschke
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Julian Reschke
- Re: JSON headers Kevin Marks
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Poul-Henning Kamp
- RE: JSON headers Mike Bishop
- Re: JSON headers Phil Hunt
- JSON headers Poul-Henning Kamp
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers - No: CBOR headers Poul-Henning Kamp
- Re: JSON headers - No: CBOR headers Martin Thomson
- Re: JSON headers - No: CBOR headers Carsten Bormann
- Re: JSON headers - No: CBOR headers Martin Thomson
- Re: JSON headers Willy Tarreau
- Re: JSON headers nicolas.mailhot
- Re: JSON headers Yanick Rochon
- Re: JSON headers - No: CBOR headers Poul-Henning Kamp
- Re: JSON headers Carsten Bormann
- Re: JSON headers Julian Reschke
- Re: JSON headers Amos Jeffries
- Re: JSON headers Martin J. Dürst
- Re: JSON headers Julian Reschke
- Re: JSON headers Carsten Bormann
- Re: JSON headers Julian Reschke
- Re: JSON headers Willy Tarreau
- Re: JSON headers Yanick Rochon
- Re: JSON headers Willy Tarreau
- Re: JSON headers Carsten Bormann
- Re: JSON headers Yanick Rochon
- Re: JSON headers Willy Tarreau
- Re: JSON headers Julian Reschke
- Re: JSON headers Willy Tarreau
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Julian Reschke
- Re: JSON headers Yanick Rochon
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Tim Bray
- Re: JSON headers Phil Hunt (IDM)
- Re: JSON headers Julian Reschke
- Re: JSON headers Willy Tarreau
- Re: JSON headers Cory Benfield
- Re: JSON headers Poul-Henning Kamp
- Re: JSON headers Roy T. Fielding
- Re: JSON headers Roy T. Fielding