IETF Logo Mail Archive

Re: [Json] Security Considerations

Peter Brooks <peter.h.m.brooks@gmail.com> Fri, 07 June 2013 06:23 UTC

Return-Path: <peter.h.m.brooks@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 791BC21F91B7 for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 23:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8JIUom1yniZA for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 23:23:06 -0700 (PDT)
Received: from mail-qe0-f53.google.com (mail-qe0-f53.google.com [209.85.128.53]) by ietfa.amsl.com (Postfix) with ESMTP id B69BA21F90F4 for <json@ietf.org>; Thu, 6 Jun 2013 23:23:02 -0700 (PDT)
Received: by mail-qe0-f53.google.com with SMTP id 1so2482737qee.40 for <json@ietf.org>; Thu, 06 Jun 2013 23:23:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=i3rPYso+cNW3i+ccPlAFu1b6pRwSHV19EMz1weLdk/U=; b=oE6tBoUEvsn19Xqj8/fh1s085A0ns5Kt3CoMzSF4IkUlTuJlWAPQeCBt8S7bFEimGu 6W3YHIM0tia9OxIPFznoqLXyJBcFpJzzykyDF1i70aXGAhYocCCf8cc3J5a34eq5P2Qo pgcEYmkNKmCA2cNHGr6yLW/69ajPMfjyGfYL/Dy3RJ8T+HoOoPUlVLT791sRE13uhpg0 UoZ7l+RpOK/B6NYjxt40srTI9yt3+Zd01xVn0ammD8fwkdI2uRZ2JR1FERnwDqVYLu89 Cx8QO5LDa5IVViJecVfN8+F9esuu5weDFke05el7pV31OhieXKfRyEdZkU7EC6KEc+wV morw==
X-Received: by 10.49.75.73 with SMTP id a9mr45352870qew.30.1370586182099; Thu, 06 Jun 2013 23:23:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.118.68 with HTTP; Thu, 6 Jun 2013 23:22:21 -0700 (PDT)
In-Reply-To: <51B116FE.9050406@crockford.com>
References: <51B0E02E.4070209@crockford.com> <1BD0044B-D7A6-4C7F-899E-5D3E72C62956@vpnc.org> <51B116FE.9050406@crockford.com>
From: Peter Brooks <peter.h.m.brooks@gmail.com>
Date: Fri, 07 Jun 2013 08:22:21 +0200
Message-ID: <CAFtB7BSvQi+1p7LYm1WT6Vd1EmLcTN1p8=dpYMOnzu0P4v8K2Q@mail.gmail.com>
To: Douglas Crockford <douglas@crockford.com>
Content-Type: text/plain; charset="UTF-8"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2013 06:23:11 -0000

I see two quite separate issues here.

1. The security of JSON itself as a data exchange mechanism
2. The ability for organisations to exercise good governance by having
their defined security policy reflected transparently in the access
controls of objects

The first issue applies only where JSON is exchanged in cleartext. If
JSON messages are exchanged through secure, encrypted channels, such
as SSL, then the chance of any successful interception and
modification of the message without detection is very small and more
the responsibility of the security software than the structure of JSON
itself. If JSON messages are exchanged in cleartext, that, itself, is
an indication that they are public and unimportant, so the risk, even
if they are intercepted and modified, is low.

The second issue matters even if the JSON messages are encrypted. If
the software fails to enforce corporate security policy, objects can
be revealed to unauthorised parties without detection being easy, or
even possible, as the logic is in the application, not the data, the
JSON object itself.

It is possible to secure JSON at the moment by adding fields that do
one of two things:

- Apply a corporate confidentiality level to an object
('Public','Private','Company Confidential','Internal Only','Board
Members Only', for example). The names of the fields are not defined,
though, so a scheme set up by one company would not be compatible with
one set up by another, which would cause problems if the two merged.
This inconsistency also makes it more difficult to validate the
security mechanism.

- Define the roles that are allowed to have, or are denied, access to
an object. Again, this is possible today, but there is no agreement as
to what syntax the access controls should follow or how the roles
should be defined.

If a system for security control was added to JSON in this way, it
would have to be backwards compatible by having any object without a
confidentiality level or access control being treated as PUBLIC.

The virtue of embedding this in the objects, not the application, is:

- applications can be tested and validated against access controls, in
detail, and proved to be complying with the JSON security.

- security staff, auditors and others can validate the security of
objects against policy by examining only the JSON schema and JSON data
with no requirement (once they have been tested and validated as
above) to examine the applications themselves.

Both of these would lead to JSON being recommended as an acceptable
data exchange method for organisations requiring good security
governance.

Obviously, securing the JSON objects would not prevent JSON files
being exchanged with the secure data exposed, but, again, the security
of files or databases is the responsibility of other security matters,
not the definition of JSON.

v2.23.0 | Report a Bug | By Email