Re: [Json] Security Considerations
Peter Brooks <peter.h.m.brooks@gmail.com> Fri, 07 June 2013 06:23 UTC
Return-Path: <peter.h.m.brooks@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 791BC21F91B7 for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 23:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8JIUom1yniZA for <json@ietfa.amsl.com>; Thu, 6 Jun 2013 23:23:06 -0700 (PDT)
Received: from mail-qe0-f53.google.com (mail-qe0-f53.google.com [209.85.128.53]) by ietfa.amsl.com (Postfix) with ESMTP id B69BA21F90F4 for <json@ietf.org>; Thu, 6 Jun 2013 23:23:02 -0700 (PDT)
Received: by mail-qe0-f53.google.com with SMTP id 1so2482737qee.40 for <json@ietf.org>; Thu, 06 Jun 2013 23:23:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=i3rPYso+cNW3i+ccPlAFu1b6pRwSHV19EMz1weLdk/U=; b=oE6tBoUEvsn19Xqj8/fh1s085A0ns5Kt3CoMzSF4IkUlTuJlWAPQeCBt8S7bFEimGu 6W3YHIM0tia9OxIPFznoqLXyJBcFpJzzykyDF1i70aXGAhYocCCf8cc3J5a34eq5P2Qo pgcEYmkNKmCA2cNHGr6yLW/69ajPMfjyGfYL/Dy3RJ8T+HoOoPUlVLT791sRE13uhpg0 UoZ7l+RpOK/B6NYjxt40srTI9yt3+Zd01xVn0ammD8fwkdI2uRZ2JR1FERnwDqVYLu89 Cx8QO5LDa5IVViJecVfN8+F9esuu5weDFke05el7pV31OhieXKfRyEdZkU7EC6KEc+wV morw==
X-Received: by 10.49.75.73 with SMTP id a9mr45352870qew.30.1370586182099; Thu, 06 Jun 2013 23:23:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.118.68 with HTTP; Thu, 6 Jun 2013 23:22:21 -0700 (PDT)
In-Reply-To: <51B116FE.9050406@crockford.com>
References: <51B0E02E.4070209@crockford.com> <1BD0044B-D7A6-4C7F-899E-5D3E72C62956@vpnc.org> <51B116FE.9050406@crockford.com>
From: Peter Brooks <peter.h.m.brooks@gmail.com>
Date: Fri, 07 Jun 2013 08:22:21 +0200
Message-ID: <CAFtB7BSvQi+1p7LYm1WT6Vd1EmLcTN1p8=dpYMOnzu0P4v8K2Q@mail.gmail.com>
To: Douglas Crockford <douglas@crockford.com>
Content-Type: text/plain; charset="UTF-8"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Security Considerations
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/json>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2013 06:23:11 -0000
I see two quite separate issues here. 1. The security of JSON itself as a data exchange mechanism 2. The ability for organisations to exercise good governance by having their defined security policy reflected transparently in the access controls of objects The first issue applies only where JSON is exchanged in cleartext. If JSON messages are exchanged through secure, encrypted channels, such as SSL, then the chance of any successful interception and modification of the message without detection is very small and more the responsibility of the security software than the structure of JSON itself. If JSON messages are exchanged in cleartext, that, itself, is an indication that they are public and unimportant, so the risk, even if they are intercepted and modified, is low. The second issue matters even if the JSON messages are encrypted. If the software fails to enforce corporate security policy, objects can be revealed to unauthorised parties without detection being easy, or even possible, as the logic is in the application, not the data, the JSON object itself. It is possible to secure JSON at the moment by adding fields that do one of two things: - Apply a corporate confidentiality level to an object ('Public','Private','Company Confidential','Internal Only','Board Members Only', for example). The names of the fields are not defined, though, so a scheme set up by one company would not be compatible with one set up by another, which would cause problems if the two merged. This inconsistency also makes it more difficult to validate the security mechanism. - Define the roles that are allowed to have, or are denied, access to an object. Again, this is possible today, but there is no agreement as to what syntax the access controls should follow or how the roles should be defined. If a system for security control was added to JSON in this way, it would have to be backwards compatible by having any object without a confidentiality level or access control being treated as PUBLIC. The virtue of embedding this in the objects, not the application, is: - applications can be tested and validated against access controls, in detail, and proved to be complying with the JSON security. - security staff, auditors and others can validate the security of objects against policy by examining only the JSON schema and JSON data with no requirement (once they have been tested and validated as above) to examine the applications themselves. Both of these would lead to JSON being recommended as an acceptable data exchange method for organisations requiring good security governance. Obviously, securing the JSON objects would not prevent JSON files being exchanged with the secure data exposed, but, again, the security of files or databases is the responsibility of other security matters, not the definition of JSON.
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Gonzalo Salgueiro
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Carsten Bormann
- [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Stephan Beal
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Douglas Crockford
- Re: [Json] Security Considerations Peter Brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Paul Hoffman
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations John Cowan
- Re: [Json] Security Considerations Peter brooks
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations Eliot Lear
- Re: [Json] Security Considerations Stefan Drees
- Re: [Json] Security Considerations John Levine
- Re: [Json] Security Considerations Stefan Drees
- [Json] Description of parsers Paul Hoffman
- Re: [Json] Description of parsers Stefan Drees
- Re: [Json] Description of parsers Carsten Bormann