Re: [Json] JSON or I-JSON?
David Kemp <dk190a@gmail.com> Fri, 26 February 2021 17:41 UTC
Return-Path: <dk190a@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C3963A1393 for <json@ietfa.amsl.com>; Fri, 26 Feb 2021 09:41:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.097
X-Spam-Level:
X-Spam-Status: No, score=-1.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xhcUwAeL7VVy for <json@ietfa.amsl.com>; Fri, 26 Feb 2021 09:41:13 -0800 (PST)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55BFD3A1392 for <json@ietf.org>; Fri, 26 Feb 2021 09:41:13 -0800 (PST)
Received: by mail-oi1-x229.google.com with SMTP id h17so10538304oih.5 for <json@ietf.org>; Fri, 26 Feb 2021 09:41:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OTT7QcMSn9BmySjjCFPeG1nk+J/EJKRjJeqbIJzzfEs=; b=rZyqwVHlTC4ub91xyj8R2QVfXwB3KUBEeQ8t0wfm+AoCxraBGvozRaLCdBw/aHAA2j x4cZw756xhEqJQfzy6HDvkTmxdH5g9q8JyrX63EBLCp7wCgzYhFfsZEDr2+ZEfSTo7Fg 2gSy63kQQp5pZODFYmwnmNegqJ1az/lEjD/eNfFeMoLrAQt942H6oh5nGo/aPPlHEFem vuDBY6iBPYZM9g592MMUEdJT2oVakqD2ZpD+kmgr7VzialiFqR8RmZZERVT+ziwP3rn/ 7QH/7jayB5+tTDqSbk0i0+5NAF4CC2MGm3YcGXuUSB6RUSSDG9YFuxvaHicHWUPDZ4KX /Hig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OTT7QcMSn9BmySjjCFPeG1nk+J/EJKRjJeqbIJzzfEs=; b=jjTRPDIqEc4LUM9BP7MVWG9LrmDE7BQLab01VcKk4LKlEphnaQ1tY36cbRaHksf+Ym W55oB2s3occSJSR0zqHSViVAs6nwULQ+PP23u4ljtVjYV7yyjlQPEqcwvEQaip5V0PEo Gcffv+BndCh7qwSnDkqwdSoj2GRcAjh+VR6IVn5M8OqKVYx5yW4SiqKDeCPIbM9T/Adr LyDqpBSnnQJO/1EB2TJQuq1fwqBd4TjLu/TNK5oi2JNvOFmReE4+jFwGrTJy+aAttzi9 yTlcqiDZvoYtGXK1iLZXwnrr9XYYTWwlnXKh27ypUjYTZjWoz+s2qQf/QsZtEvUV6bXX 6mpw==
X-Gm-Message-State: AOAM5332qjUbeBsh1l14KGFagLlOLZDrg90A1+1bxnV1eH/aIeV421bA v/f6SxyyiIXX4azv6XQ0tsXPNfBpvOHBh56M46Q=
X-Google-Smtp-Source: ABdhPJxRqxBzV6ZdCLTzLJaR6uB6KRRDbHkrV29bwwIW6r7IGdbY5AdmL5Ol9n2+ay47tAnjSWWLlB2UFOa0KF3SC2I=
X-Received: by 2002:aca:bd85:: with SMTP id n127mr2848822oif.178.1614361272594; Fri, 26 Feb 2021 09:41:12 -0800 (PST)
MIME-Version: 1.0
References: <90cddfc3-c320-5ac0-210b-c77636383a6b@codalogic.com> <1c819bc9-283d-e36b-7de2-507553420faa@gmail.com> <CAD2gp_TKzBkK=G6PrSKmLyg=67MmFdszCi7X1LVeoO89r63jQA@mail.gmail.com> <ce21b4d4-b384-6428-7002-0f029eb6918f@codalogic.com> <CAHBU6iv0E2111g99Y4AzX1MWhPAE=SsZxnU9y9zQHUuEAWgVqg@mail.gmail.com>
In-Reply-To: <CAHBU6iv0E2111g99Y4AzX1MWhPAE=SsZxnU9y9zQHUuEAWgVqg@mail.gmail.com>
From: David Kemp <dk190a@gmail.com>
Date: Fri, 26 Feb 2021 12:41:00 -0500
Message-ID: <CAE5tNmoGNEaxE1MxYAouq_UkFj48L6VLG-tgLL5r5OpKnHy+kA@mail.gmail.com>
To: Tim Bray <tbray@textuality.com>
Cc: Pete Cordell <petejson@codalogic.com>, "json@ietf.org" <json@ietf.org>, John Cowan <cowan@ccil.org>, Anders Rundgren <anders.rundgren.net@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003137f705bc40c6a3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/json/KvyFTj6abbqMKPIGK98oAy5tPPg>
Subject: Re: [Json] JSON or I-JSON?
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 17:41:15 -0000
Most of the I-JSON constraints are good for interoperability, and as Anders
points out, the lack of a distinct Integer type means that some
applications must use String rather than Number to represent Integers. But
section 4.2 ("must-ignore") is anathema to security, and the fact that that
is not even discussed in RFC 7493's security considerations is negligent.
If you are designing a protocol that uses, for example, Reputons (
https://tools.ietf.org/html/draft-ietf-repute-media-type-13#section-3.1),
and a Reputon can contain megabytes of malware, or mpegs of cats being
cute, or 14th century pornography (
https://github.com/oasis-tcs/openc2-usecases/blob/master/Cybercom-Plugfest/TestData/slpf%2Bacme/commands/bad/create_poetry.json),
that isn't necessarily a good thing for the Internet.
Dave
On Fri, Feb 26, 2021 at 10:03 AM Tim Bray <tbray@textuality.com> wrote:
> I personally would use I-JSON if possible because it has useful MUSTs in
> it to help resolve arguments between implementors. [But then, I edited the
> RFC, so I would.] There's one downside, which is that as far as I know,
> there's little software that actually enforces the I-JSON constraints.
>
> On Fri, Feb 26, 2021 at 6:55 AM Pete Cordell <petejson@codalogic.com>
> wrote:
>
>> On 26/02/2021 13:59, John Cowan wrote:
>> >
>> >
>> > On Fri, Feb 26, 2021 at 7:49 AM Anders Rundgren
>> > <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
>> > wrote:
>> >
>> > If the standard-to-be is supposed to interoperate with browsers and
>> > node.js the only viable option is RFC7493.
>> >
>> > If the standard-to-be also targets the financial market, further
>> > constraints apply since floating point arithmetic is ill-suited for
>> > monetary operations. E.g. a monetary amount of 46.99 should be
>> > represented in JSON as the string "46.99".
>> >
>> >
>> > RFC 8259 incorporates all of the restrictions of 7493 as
>> > interoperability warnings, including the one above. That way it stays
>> > compatible with ECMA-404 (which has no such restrictions or warnings)
>> > but still steers you away from the dark corners of JSON.
>>
>> RFC 8259 tells you "that way lies madness" but doesn't actually tell you
>> to not to go that way! RFC 7493 makes it explicit not to go that way
>> for those that might otherwise say "well you didn't tell me not to...".
>>
>> Pete.
>> --
>> ---------------------------------------------------------------------
>> Pete Cordell
>> Codalogic Ltd
>> C++ tools for C++ programmers, http://codalogic.com
>> Read & write XML in C++, http://www.xml2cpp.com
>> ---------------------------------------------------------------------
>>
>> _______________________________________________
>> json mailing list
>> json@ietf.org
>> https://www.ietf.org/mailman/listinfo/json
>>
> _______________________________________________
> json mailing list
> json@ietf.org
> https://www.ietf.org/mailman/listinfo/json
>
- [Json] JSON or I-JSON? Pete Cordell
- Re: [Json] JSON or I-JSON? Anders Rundgren
- Re: [Json] JSON or I-JSON? Carsten Bormann
- Re: [Json] JSON or I-JSON? John Cowan
- Re: [Json] JSON or I-JSON? Pete Cordell
- Re: [Json] JSON or I-JSON? Pete Cordell
- Re: [Json] JSON or I-JSON? Tim Bray
- Re: [Json] JSON or I-JSON? David Kemp
- Re: [Json] JSON or I-JSON? John Cowan
- Re: [Json] JSON or I-JSON? Phillip Hallam-Baker