Re: [Json] Security Considerations
Peter Brooks <peter.h.m.brooks@gmail.com> Thu, 06 June 2013 05:13 UTC
Return-Path: <peter.h.m.brooks@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CF6F21F96C6 for <json@ietfa.amsl.com>; Wed, 5 Jun 2013 22:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmtCJsSH0+cy for <json@ietfa.amsl.com>; Wed, 5 Jun 2013 22:13:20 -0700 (PDT)
Received: from mail-qa0-x234.google.com (mail-qa0-x234.google.com [IPv6:2607:f8b0:400d:c00::234]) by ietfa.amsl.com (Postfix) with ESMTP id 9B3E521F96A9 for <json@ietf.org>; Wed, 5 Jun 2013 22:13:20 -0700 (PDT)
Received: by mail-qa0-f52.google.com with SMTP id bv4so61033qab.11 for <json@ietf.org>; Wed, 05 Jun 2013 22:13:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=tmKi5FFIIOnbC5TOygsnXRxJ+UWNMYjoS15V5ApoKEg=; b=HjreZsVTwdgRupu0BQ7b9WkA6F/No+kEpomH1rEsrTd2lQNnO9Hvrw8HPtok8P1GQK 80hcvb4yfybHRzi6LiPkrog5g8MmfOpjG2dnVPFBXKHSJqGCYBEIEM1zd+sPI2UQhrdG N8Mbjh49R95dWN5uLjZXP5EcuyTsBPTg3FqIMmXCDMurc1BKTq/BaOv5QelCy79veJOa xCcv67xMajrQeJUm4cwY8WtPs5ECfWVSkBjkMe+/ji2uTHL00Ec5Lu0R5p5pPiK/qaY0 KcEnmeInw50zn525yhZT1vgaqke5trLgVdQ31yidcgQ2B8Y2EPYOA5k2A2kxXtqcwt60 nbug==
X-Received: by 10.49.96.104 with SMTP id dr8mr37904573qeb.43.1370495600102; Wed, 05 Jun 2013 22:13:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.118.68 with HTTP; Wed, 5 Jun 2013 22:12:40 -0700 (PDT)
In-Reply-To: <2E4D08E5-3AF2-42F5-874A-9CD872800717@vpnc.org>
References: <51AF7C55.3070606@crockford.com> <2E4D08E5-3AF2-42F5-874A-9CD872800717@vpnc.org>
From: Peter Brooks <peter.h.m.brooks@gmail.com>
Date: Thu, 06 Jun 2013 07:12:40 +0200
Message-ID: <CAFtB7BQvUbJtKyK8oARBywVva7KKp8a6Rhn_Zg7VRKh6Ug64Zw@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Cc: "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 05:13:21 -0000
On 6 June 2013 02:20, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > On Jun 5, 2013, at 10:58 AM, Douglas Crockford <douglas@crockford.com> wrote: > >> The section on security considerations is completely inadequate. It is describing a use of JavaScript eval that is now considered to be a very bad practice, and it provides no advice for other languages. >> >> It should instead be advising care when constructing JSON texts, insisting on proper encoding practices and avoidance of concatenation. > > Who wants to take a stab at proposed Security Considerations wording? This should probably go in Section 7, not Section 6, so that allows a bit more formatting such as headers and such. > How far can this go before it becomes completely new stuff that should be excluded from the scope? For security to work, each object ought to be able to specify the roles that have read or modify access - with a well defined policy (echoing the current position for backwards compatibility) to describe what happens when there are no access rights defined for an object. It is good practice for the actual security requirements for each object to be documented in the object - if they are not, and application logic is relied upon to provide access control, then it is difficult, if not impossible, to have proper governance of access control. There is no better documentation than that that provides the actual control.
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Gonzalo Salgueiro
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Carsten Bormann
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Stephan Beal
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations John Cowan
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Eliot Lear
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Stefan Drees
- [Json] Description of parsers Paul Hoffman
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Description of parsers Carsten Bormann