Re: [Last-Call] [EXTERNAL] Secdir last call review of draft-ietf-jsonpath-iregexp-06
Mike Ounsworth <Mike.Ounsworth@entrust.com> Sun, 28 May 2023 00:31 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1557C151078; Sat, 27 May 2023 17:31:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxGp-RFJs8sY; Sat, 27 May 2023 17:31:24 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAA99C14F749; Sat, 27 May 2023 17:31:23 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34R6hbmI023413; Sat, 27 May 2023 19:31:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=m+LyaqZ4/XZ5AKZ09j4NlcMZfetY4VZqckKOx2y8b/8=; b=f+aiyWdqKVXhhkVGOrkaZhOrRIrGlUWK3gmeVFvW/02YNTQcyDqwLjClDjm72zIxB8i1 MeFSSSCogoXm9FkDOGMLgtLi00E9oI+XnAkUlMtXyhvkFSdgl3CoGZcFx/JrKznppxtI JsEGagAwlS6eY6TghMR74xGM8nzehcz+FxqbaiBmoBuE+5wGeNGvs3Jg9aKv3I6ddxZ0 O8Ocs7jwHUanUFHeMIX/VSeYMb3DGjG3yIDinPqB4abOJccnxAKt4Lk4N6sA+DB8KIa6 GzyrhWa1QWptPCGfV7PwRpovbhZojIYfLoJnGfAWxLgSVcZWvtc4qJesfyErqysH32zq 5A==
Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam04lp2168.outbound.protection.outlook.com [104.47.73.168]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3qucun25g7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 27 May 2023 19:31:21 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hUQYbGiAvtNeSfMFaTYPwysCzpM6cXIoM2NJtK2gitbj3LDBFoXTbROwvpPdxzfb7wwK4Lar5kvdiq0DR8oDHvzyS5gIt5435UYnnlk6B2R28x7msVY2FqKpxNxgmgtCNJwxvfajfuTt4mObwUaZHN8EJG0IhAm2dxbIQExtZluFHNnjE7GQap31pC0vRkwELiMcfS0GkzP+Y3W0w7+phDXP0TUA2ianhlG8oVAHt/opBFrllY4mPWz6pEB2uA5dXpzd+y3JvlYXTvKq6fQCYXP0upr0enU+OS5T0oWOZhITY3IXn3ZOxtY/CqYHgej6uElJWspYZhjx2wYf919v8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=m+LyaqZ4/XZ5AKZ09j4NlcMZfetY4VZqckKOx2y8b/8=; b=HmnbN4au2uIUlb41H9L3FcSFGkgs2+U95kwmuY/vASvHLX+FMtHBqugPMXXwKqddvGtZMomkeaKAQ6RiSnCIMn9/2WFGu++qRg0leGDQs1uOV2J+PIP1emPeogwQTigNFJ/FCmVzzIkwQhGzU/de8j3YNXoxDZwudxbr44QtTu7hT1kS+nffEmU8aB9XA8RP/OIUoS0puDbS7L+RCeO05fZnf5VorHi4DvLKxZrwV+0aA6GmpY0HOy6fAcScLO0kFtpJ1Py6qGEZxKALIl7fr9fRHT5PW7D1TUfHxf1xd9EDhnVoBlUtJg3i+PIDEKNiBxSlxiHJ/qYU+AFCszN/wQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by PH8PR11MB6949.namprd11.prod.outlook.com (2603:10b6:510:227::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.21; Sun, 28 May 2023 00:31:15 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::11b5:6d6b:4668:94db]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::11b5:6d6b:4668:94db%4]) with mapi id 15.20.6433.020; Sun, 28 May 2023 00:31:14 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Carsten Bormann <cabo@tzi.org>
CC: Tim Bray <tbray@textuality.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jsonpath-iregexp.all@ietf.org" <draft-ietf-jsonpath-iregexp.all@ietf.org>, "jsonpath@ietf.org" <jsonpath@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Thread-Topic: [EXTERNAL] Secdir last call review of draft-ietf-jsonpath-iregexp-06
Thread-Index: AQHZjvfxE9ok4v5SNU+4YAitWaWrgq9u2SnQ
Date: Sun, 28 May 2023 00:31:14 +0000
Message-ID: <CH0PR11MB5739B63A135ED8188DEE8BA29F459@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <168416383998.50512.953102690552943438@ietfa.amsl.com> <CAHBU6iuKKp3g_HbhgaZT8CcStQBKoaHOcdf9ogku=bftYt5wgA@mail.gmail.com> <CH0PR11MB57396636498D34CC633E2C3F9F789@CH0PR11MB5739.namprd11.prod.outlook.com> <82B020F8-5B25-4F7D-9824-A9E0615BC10C@tzi.org>
In-Reply-To: <82B020F8-5B25-4F7D-9824-A9E0615BC10C@tzi.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|PH8PR11MB6949:EE_
x-ms-office365-filtering-correlation-id: e401ccf4-05cd-40b9-85eb-08db5f12d84b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: o1zIUW4gyKrrgwR4zVm26/ZojsERaRlUPwA69hZtz0E+jDDjgLqqFedFcSrTugzYheqa6k4QOmfvyb+pwOVmm7R2dy0GoQ8rShdAyP6epFASPq1uWhqpnQkyTh3beIitaFsL/l4v45l+Snq1izpp9o9vdf1TJZa23j4JW4zwVO3wWr/u4JlnATjX4FTQLTK0yjExjB89Mjl3ZlU3SeS9m1QpT3BSp3dxkK7zpSh7FEhcGISW7Aiv3JjVQifEBlUa6xGPomRyQxuisGCG80VrDq6fiHsVedTNgtFG/xyVJCTkicAy1q5DXICVP2SL3xHcVgAxRJABPZ97RdOkFjJdFqjmMsieyXRnDGnAg+KbgsdLnHzafAqJwS8br17wjjc/B5Z2KgQofA+kfEcPK/WbbGlDDoi9llkb2BmC5jxr5OxxCL8X0hYoBC2BAyMcKd1QweSX1qqEmZ1YDp/VjrH3K3iwH3EZtntcTk0osQfon2n8SVJkW3yFxw6daBEpyn6KHU3/lB0VpHILa3W0dwWtCMqg9nEQBWwXNoHyvGynxmoJgegstUQm+vf2YvKl8wlWeveCHLv/CqhG4yX2/juCiSOltwEzHvNXNX3knNJbAj1vxv2m7aMFo4SDflQIE+esjNpsFfS9Xn3qxRuYbuAYVA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(39840400004)(346002)(396003)(136003)(366004)(451199021)(33656002)(86362001)(4326008)(55016003)(186003)(8676002)(8936002)(41300700001)(9686003)(53546011)(6506007)(26005)(66574015)(83380400001)(52536014)(5660300002)(54906003)(478600001)(66946007)(66556008)(66476007)(66446008)(64756008)(6916009)(966005)(76116006)(316002)(7696005)(71200400001)(122000001)(38100700002)(38070700005)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IEIFYOSc4vMdM7ixwqe8kFnJNwmwDBxvisNqiLfcod/bA1wm7JdSBulWeM36oytzH09NIxaT0YDDZxeCiqnvLTdtsbqr4N2oJAlH0mWFOwuOB4fBLqtGLee5wM5P7XfoUeFUK34ooWApaKEnI3q1pmJv7zOOK5HUQuIidWeqjJz8Cxg/+3L6O1yHvTKETY6UiUmSZzisqCYNzCXNPeTDad0f4FvpTCL2QTYfucUZXcFjLzONdfjBXHeKirMT+cDuNPGVQdDeOCly6ZdabQE02a08CTP2ivGQRwhS6bvsl2dVhHrnz6IgZFggIPcwdSeHakv3pX1HGeNsZWberyKKjVBtE1aCmAr12E7Ux7geavE+wm3J2/zgxDTrQ5jhQ0jIKyOGNd2YPTG9A/0iMdfJ0C7ucXiH5NheHEQrHa6SO+3fJcwyWAqQIrSVKPZweO0IeXyzP8Z8ZxZ10dEB8ZDAJ6i0ejOwKacw6YwT9HiIhnLlTMK9T87qGSHZvFRGojo2nNKWMqUsAneZlUdNFXyHeUic+ZHaxBR9tZSs/ZguFIgyp7NGKlsEIb6ggUbX0eZh0NqphHzyB5zTwYbSeG8zwwyQZ6VW10+r0lBmxejsFz+VVKh7toWNLIiSEIssSfGS0y1alXom8do1jqUQgm4OblrzT5SlD3FMVuju75fk6OHjHtPWbGJ/skf8/tw9Joy44bZQcx2PXgwq1mGNOOkz1+Ig6lKmDJ301Jpwmg8RzdVIhcR6oHbanhYCFM0iHUcvHFjUU0hpVmXTaAw7xa7VQ8Zf8fL/NR1bt+ZJmvg1yXVw3huz8QumscsCIKRqpl/aFF/rlC9PJdphRwEojhm0GmeFBYMiq90RIMtnJsL4q5uFdURQooBgGyOwOyoWT6pmRS8S/qfFNWnldwa/WNzjQhrdSnfp3QopXA6x6iokaPfP8xER4nMrYRtYQPXAZQuFlrEMpn/uHyJCCKBnS7Va5+r59N2yPulT+7iCy0RT7z79VS687MtCMq/vzlhsw6blUSDWHM4ZSAPD5Bu29sAFdbVIR6pzE0DyD2dtaNI35TKj6M2M9VtlzOcRaxkAL5WuN7q6lWM6rbdggdF+wts8ajoHIENHz7U3G7d/9vN+ldTM3gQ9EJPMQOeon4Ryj+Xyapo0J1ceEAdXVj3cgrJttiEyo38tHk7zmtzSttPNe9zwOJ210sdbShr5ojsmoMQCJ8/tjXjci0CAwag9oA2FAqlyk0XO4gl2R7V6JdX1lQsP28RfrzUZVCYnuvXOp7NXjxVdcJV6l/8wDs6kdoNkobTm1hNHe30tKDO2Rf0a+1YhS2eVwa3t/Gd5i2CkN8mM7y8uvHysEYr4hu0LjXh01i1rH6TJY//9pyiYOx8uDZDSShyJJK7oJ45FnMnC/RotUriAbgwgmT4sPpsiYedWg35bTACATI0H0F/yA9rGAnvJWocf+6xYQuer1pqh1jjmZM4jv8a+7WLRQgT19nxNyk6JioGoD9h7FjZRX920CCf/9rjFyMuleDS2RaDlw6oYQt9OnaUKOqX2vbkxDr62MtG2UwxLt8os5sf8rGqW8S1nfJDuL8YA9HNiO2u4Q8Pl
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e401ccf4-05cd-40b9-85eb-08db5f12d84b
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2023 00:31:14.5424 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fEwYhNf/9NeZ2LffBsomCuO1l1GQJ5Yc4NRkwhbVfA+Ol8tchnz5JlbnqnG+nBq6QZ0l1KKblvzd5xUBXXuRoppsIFWZCIqZNMJRQF6kPkY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR11MB6949
X-Proofpoint-ORIG-GUID: djrcxvDha7mYCHDJoRk9NhGZI9asYqYg
X-Proofpoint-GUID: djrcxvDha7mYCHDJoRk9NhGZI9asYqYg
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-27_16,2023-05-25_03,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 mlxlogscore=985 spamscore=0 mlxscore=0 priorityscore=1501 impostorscore=0 clxscore=1011 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305280002
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/GyVLp14N7Ilz6GSWf0mul0whev0>
Subject: Re: [Last-Call] [EXTERNAL] Secdir last call review of draft-ietf-jsonpath-iregexp-06
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 May 2023 00:31:28 -0000
As I stated on PR #27, I am good with these changes; thank you for adding the extra discussion to avoid people thinking that I-Regexps fully closes off these attack threats. --- Mike Ounsworth -----Original Message----- From: Carsten Bormann <cabo@tzi.org> Sent: Thursday, May 25, 2023 5:59 AM To: Mike Ounsworth <Mike.Ounsworth@entrust.com> Cc: Tim Bray <tbray@textuality.com>; secdir@ietf.org; draft-ietf-jsonpath-iregexp.all@ietf.org; jsonpath@ietf.org; last-call@ietf.org; "Martin J. Dürst" <duerst@it.aoyama.ac.jp> Subject: Re: [EXTERNAL] Secdir last call review of draft-ietf-jsonpath-iregexp-06 Hi Mike, > On 2023-05-15, at 18:40, Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote: > > If you put any sort of paragraph to that effect, then I’ll be happy. Actually, this thread turned into a number of new paragraphs. In PR #27 [1], new text has been added specifically about resource consumption (time and space) based attacks. This text is a bit longer than I wanted because it has to distinguish the two cases I-Regexp specific implementation vs. re-use of existing Regexp implementation, and there is no simple perfect way to handle twisted applications of range-quantifiers. Thanks to Martin Dürst for preparing much of this text in his original comment. PR #26 [2] picks up the comments made by Rob Sayre and generalizes the concerns in a way that is useful in this specification. We now reference STD 63 (RFC 3629), interestingly as an informative reference, as this discusses related issues in more detail than would fit this specification. Thank you for getting this thread started with your comment! Comments on the two PRs will be appreciated. Grüße, Carsten [1]: https://urldefense.com/v3/__https://github.com/ietf-wg-jsonpath/iregexp/pull/27__;!!FJ-Y8qCqXTj2!ftDjXHWUMZfZDAwCOB-GHJoVLwB9qCwCNfEdN01DQ4VIoLt_xMQcX2Vpig_1UCGrf5iRV4VvZlr-bTw$ [2]: https://urldefense.com/v3/__https://github.com/ietf-wg-jsonpath/iregexp/pull/26__;!!FJ-Y8qCqXTj2!ftDjXHWUMZfZDAwCOB-GHJoVLwB9qCwCNfEdN01DQ4VIoLt_xMQcX2Vpig_1UCGrf5iRV4Vvm_Z_rb4$ Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [Last-Call] Secdir last call review of draft-ietf… Mike Ounsworth via Datatracker
- Re: [Last-Call] Secdir last call review of draft-… Tim Bray
- Re: [Last-Call] [EXTERNAL] Re: Secdir last call r… Mike Ounsworth
- Re: [Last-Call] [Jsonpath] Secdir last call revie… Greg Dennis
- Re: [Last-Call] [Jsonpath] Secdir last call revie… Martin J. Dürst
- Re: [Last-Call] [Jsonpath] Secdir last call revie… Rob Sayre
- Re: [Last-Call] [Jsonpath] Secdir last call revie… Rob Sayre
- Re: [Last-Call] [EXTERNAL] Secdir last call revie… Carsten Bormann
- Re: [Last-Call] [EXTERNAL] Secdir last call revie… Mike Ounsworth