IETF Logo Mail Archive

Re: [Json] Security Considerations

Peter Brooks <peter.h.m.brooks@gmail.com> Thu, 06 June 2013 05:13 UTC

Return-Path: <peter.h.m.brooks@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CF6F21F96C6 for <json@ietfa.amsl.com>; Wed, 5 Jun 2013 22:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmtCJsSH0+cy for <json@ietfa.amsl.com>; Wed, 5 Jun 2013 22:13:20 -0700 (PDT)
Received: from mail-qa0-x234.google.com (mail-qa0-x234.google.com [IPv6:2607:f8b0:400d:c00::234]) by ietfa.amsl.com (Postfix) with ESMTP id 9B3E521F96A9 for <json@ietf.org>; Wed, 5 Jun 2013 22:13:20 -0700 (PDT)
Received: by mail-qa0-f52.google.com with SMTP id bv4so61033qab.11 for <json@ietf.org>; Wed, 05 Jun 2013 22:13:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=tmKi5FFIIOnbC5TOygsnXRxJ+UWNMYjoS15V5ApoKEg=; b=HjreZsVTwdgRupu0BQ7b9WkA6F/No+kEpomH1rEsrTd2lQNnO9Hvrw8HPtok8P1GQK 80hcvb4yfybHRzi6LiPkrog5g8MmfOpjG2dnVPFBXKHSJqGCYBEIEM1zd+sPI2UQhrdG N8Mbjh49R95dWN5uLjZXP5EcuyTsBPTg3FqIMmXCDMurc1BKTq/BaOv5QelCy79veJOa xCcv67xMajrQeJUm4cwY8WtPs5ECfWVSkBjkMe+/ji2uTHL00Ec5Lu0R5p5pPiK/qaY0 KcEnmeInw50zn525yhZT1vgaqke5trLgVdQ31yidcgQ2B8Y2EPYOA5k2A2kxXtqcwt60 nbug==
X-Received: by 10.49.96.104 with SMTP id dr8mr37904573qeb.43.1370495600102; Wed, 05 Jun 2013 22:13:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.118.68 with HTTP; Wed, 5 Jun 2013 22:12:40 -0700 (PDT)
In-Reply-To: <2E4D08E5-3AF2-42F5-874A-9CD872800717@vpnc.org>
References: <51AF7C55.3070606@crockford.com> <2E4D08E5-3AF2-42F5-874A-9CD872800717@vpnc.org>
From: Peter Brooks <peter.h.m.brooks@gmail.com>
Date: Thu, 06 Jun 2013 07:12:40 +0200
Message-ID: <CAFtB7BQvUbJtKyK8oARBywVva7KKp8a6Rhn_Zg7VRKh6Ug64Zw@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Cc: "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 05:13:21 -0000

On 6 June 2013 02:20, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> On Jun 5, 2013, at 10:58 AM, Douglas Crockford <douglas@crockford.com> wrote:
>
>> The section on security considerations is completely inadequate. It is describing a use of JavaScript eval that is now considered to be a very bad practice, and it provides no advice for other languages.
>>
>> It should instead be advising care when constructing JSON texts, insisting on proper encoding practices and avoidance of concatenation.
>
> Who wants to take a stab at proposed Security Considerations wording? This should probably go in Section 7, not Section 6, so that allows a bit more formatting such as headers and such.
>
How far can this go before it becomes completely new stuff that should
be excluded from the scope?

For security to work, each object ought to be able to specify the
roles that have read or modify access - with a well defined policy
(echoing the current position for backwards compatibility) to describe
what happens when there are no access rights defined for an object.

It is good practice for the actual security requirements for each
object to be documented in the object - if they are not, and
application logic is relied upon to provide access control, then it is
difficult, if not impossible, to have proper governance of access
control. There is no better documentation than that that provides the
actual control.

v2.23.0 | Report a Bug | By Email