Re: [secdir] draft-ietf-appsawg-json-pointer-07 SECDIR Review
Mark Nottingham <mnot@mnot.net> Wed, 02 January 2013 04:12 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D86A521F8E1F; Tue, 1 Jan 2013 20:12:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.783
X-Spam-Level:
X-Spam-Status: No, score=-103.783 tagged_above=-999 required=5 tests=[AWL=-1.184, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sREKAOqNRg3Q; Tue, 1 Jan 2013 20:12:42 -0800 (PST)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by ietfa.amsl.com (Postfix) with ESMTP id 1BBDC21F8E1E; Tue, 1 Jan 2013 20:12:42 -0800 (PST)
Received: from mnot-mini.mnot.net (unknown [118.209.74.65]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id BFCE8509B5; Tue, 1 Jan 2013 23:12:39 -0500 (EST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAF4+nEEDfhv=J_BnXJjj7q2_9tf16RCUpTHspQcky1+F_0JTzA@mail.gmail.com>
Date: Wed, 02 Jan 2013 15:12:35 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <F8C63186-C869-46DC-8C05-EBCD5BEE8D13@mnot.net>
References: <CAF4+nEEDfhv=J_BnXJjj7q2_9tf16RCUpTHspQcky1+F_0JTzA@mail.gmail.com>
To: Donald Eastlake <d3e3e3@gmail.com>
X-Mailer: Apple Mail (2.1499)
Cc: draft-ietf-appsawg-json-pointer.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] draft-ietf-appsawg-json-pointer-07 SECDIR Review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2013 04:12:43 -0000
Thanks for the review; replies below. On 31/12/2012, at 2:11 PM, Donald Eastlake <d3e3e3@gmail.com> wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. Document editors and WG chairs should treat these comments just > like any other last call comments. > > This draft describes two closely related syntaxes for pointers to > objects within a JSON (JavaScript Object Notation) document. One is a > JSON string syntax, the other is a URI fragment identifier for URIs > defined to take such a fragment identifier. > > Security: > > I do not see any security problems with this document. The syntax > appears to be unambiguously specified, including ABNF, and the > Security Considerations Section is adequate and touches on the > potential pit-falls that JSON pointers can contain NULs. > > Miscellaneous: > > I found significant ambiguity in the semantics of a JSON pointer > string. Is the result of the successful evaluation ("evaluation" is a > term used in the draft) of such a pointer string a structure that > points into a JSON document or is it the objection pointed to? It > mostly seems to be an object but it is specifically provided that > array references could point beyond the end of an array and at least > in that case perhaps some sort of pointer structure would be returned > with the error condition. It probably doesn't matter, because these > syntaxes are intended to be used in a variety of applications and it > will be up to the application to clarify the semantics. I think it's purposefully ambiguous, to accommodate a variety of applications. > Minor: > > The expansion for the acronym JSON should be given in the title and abstract. In SVN. > In the first line of the second paragraph of Section 6, I found the > word "nominate" kind of odd. Why not "specify" or "select" or "use"? In SVN. > None of the Authors Addresses given includes a postal address. Yes. -- Mark Nottingham http://www.mnot.net/
- [secdir] draft-ietf-appsawg-json-pointer-07 SECDI… Donald Eastlake
- Re: [secdir] draft-ietf-appsawg-json-pointer-07 S… Mark Nottingham
- Re: [secdir] draft-ietf-appsawg-json-pointer-07 S… Donald Eastlake
- Re: [secdir] draft-ietf-appsawg-json-pointer-07 S… Mark Nottingham
- Re: [secdir] draft-ietf-appsawg-json-pointer-07 S… Barry Leiba