Re: [Json] Proposed minimal change for duplicate names in objects

Nico Williams <> Sun, 07 July 2013 06:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C265221F9E35 for <>; Sat, 6 Jul 2013 23:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.957
X-Spam-Status: No, score=-1.957 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vXURZPsy7piD for <>; Sat, 6 Jul 2013 23:25:33 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1352021F9DCD for <>; Sat, 6 Jul 2013 23:25:33 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 5472C1E071 for <>; Sat, 6 Jul 2013 23:25:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type;; bh=y5Mq0nt7/zdZON55m1Bx p6OAEeg=; b=i4Ay8/nS7QHhJudDj6tLWSV/Sm6AGB3IEbbYywIMxY51d+AzcGqY SUHNuOxUcEvo6yBvH97mgN/pZACK83iLxUOUhkGzUGb8EPLIxSA3MHLL2CyJGDyj IgY1UciC2g9mAMlIJjM6cIuw38CkXMvBMdbcpKEqoI/rtUUM/NSw6NE=
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id E96211E064 for <>; Sat, 6 Jul 2013 23:25:31 -0700 (PDT)
Received: by with SMTP id u53so2809671wes.23 for <>; Sat, 06 Jul 2013 23:25:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wc3i+rlwtaiy1OlBRp0uhZ3z77KXPi1gIXzhHg+ta0U=; b=cIEbULdGZ8tsFeM5i4QpwcbYuvh/7S83IYfZ+vJSwA0ExxrC646dJ7uUP8nNkHwuoX 6NGKSX7tsSVICWgZD1kt/ZbIFnzWCBKJ0MfIMRg9AZZcJhmw9Q4TERfMrqTh1ON5f79X ENJ4byH/dEZAxF+0yggRudWq3rNjxQgw135D9d8M6LRIc2FinJMqSN41jubPz2OuPgNf ntzoGtq5vKgyOiOPc19t3H9rg7zKZXFQZwnzL3kQzFXm+a9oYPDW8eO6tmO4C1YdYxVw SIZqtmNBcTNmX04C86lxVqY+6N7mSFW2uEJ25COkKEj6QtcMRPC0ct8WXYnwiZeDVykw 8MKg==
MIME-Version: 1.0
X-Received: by with SMTP id m1mr9427752wje.31.1373178330506; Sat, 06 Jul 2013 23:25:30 -0700 (PDT)
Received: by with HTTP; Sat, 6 Jul 2013 23:25:30 -0700 (PDT)
In-Reply-To: <00e401ce7ad5$00991c20$01cb5460$>
References: <> <> <> <> <> <00cd01ce7a9f$19adeaa0$4d09bfe0$> <00d701ce7aa6$cc5fe700$651fb500$> <> <00e401ce7ad5$00991c20$01cb5460$>
Date: Sun, 7 Jul 2013 01:25:30 -0500
Message-ID: <>
From: Nico Williams <>
To: Jim Schaad <>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [Json] Proposed minimal change for duplicate names in objects
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Jul 2013 06:25:40 -0000

On Sun, Jul 7, 2013 at 12:44 AM, Jim Schaad <> wrote:
> To be perfectly honest,  I would personally argue that this is a
> requirement that parsers need to enforce.  The JOSE group is going to
> need some interesting text about what happens if it is using a parser
> that does not enforce this mechanism.  And an even more interesting

JOSE was going to need that anyways.  If we manage to reach the
consensus you want then JOSE won't need to, but will JOSE wait for

> question of how this would ever be determined if the parser is not
> part of the application itself.  That is how does a JOSE application
> know that the built in (assuming there is one) parser for the FOO
> language/environment it is operating in will correctly do the
> detection for it and not use the rule of grab the last value.

I'd say... "read the docs" and "test the parser" :)

(you'd have to no matter what; what if you got a YAML-based parser
that had remote code execution vulnerabilities?  surely you'd want to
avoid that...)

> I would also be open to the argument that a streaming parser is not
> really an entire parser and the thing that consumes the output of a
> streaming parser could be the entity that enforces the uniqueness
> requirement.

Right, that was my proposal.  There's little appetite for describing
parser types in the RFC though.

I'm ambivalent, but willing to go with requiring rejection of objects
with dup names.