IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-cbor-7049bis-14

Yaron Sheffer <yaronf.ietf@gmail.com> Mon, 10 August 2020 20:24 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B64143A0D2B; Mon, 10 Aug 2020 13:24:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.523
X-Spam-Level:
X-Spam-Status: No, score=-0.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.573, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Og2E5w1YjSrW; Mon, 10 Aug 2020 13:24:48 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 408563A0D23; Mon, 10 Aug 2020 13:24:48 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id a5so9404428wrm.6; Mon, 10 Aug 2020 13:24:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=AKfSvr1qGuFtK9wmI2mKX+3hnGeItBCCnnZZ5gyPh7o=; b=GxXvMXUpWoreJTJkb4lUz29qZk0tGszqmL3hqjPnTnwuZScpXHSIYzaZacNKQ9C6n2 eEsqwWuaGLD9KMfmJLXUomJWk1hC1cbpc2JO5VSSTX5JWNr0jMVWxUbqVrGnMLZD+3LD JVjCUFzrvFSih2QR58ptBy1VHuj6GXs8Vms5pHC0lA8Qgh0Rh3A4NhpffDIWiKSMLJse pAt1oHbgpApWbzp2sN/O3XdizodWmH/p6k2TA/0SaIInpdjAlqtsK8Z7n76vcxCZcvwy 9z9DejuQLIFlzrUoIf6bTIBMBoFdg/uns8wXEh+6W3MZXjYZV06QC0OTcbilasHq/Mmt H7Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=AKfSvr1qGuFtK9wmI2mKX+3hnGeItBCCnnZZ5gyPh7o=; b=QV/P9hDAtZA9YEBriPBnP0Uijtd2759Ff2AdWGlj0O56qEXgnypqJuG9vT+O3CGdVC w67FNtOD+1yTuUdTRi4DOaAAbDtA3/h+8wEKkLFj8LqrWex1qHqCSkqJquapl9Ei7/Mf qzWS7+mUYbBTIAXiEGBcneSXEybasOcB1/wtumGn2u60ASn5HHrecpmraTWU0hBywo6A Vkg9CW25FXb3WATamTKzXWpjZE1TxOXRXNfc5bY5plANQJnnl/i5MSBt4CSqtGGh2/oh wyWcPN6UL2cQRxSCjjGI2Z+9YUlTMDLDbPxE6V1Lr08bzzZ2yuBnWkiITYi6BFD9DHbR Eifw==
X-Gm-Message-State: AOAM530JsGjYYIahYBYejryhRArJ3yDhdwiYiS6NXhIGo6RNSjr6MqVL oeWeRgYIPsvPYZA4NNPTV3M=
X-Google-Smtp-Source: ABdhPJykGYa+NKNrPKOTSnvnPIOSZWtcrIFZUCqJap+PdQlCWE5m+IX3F5OTyl+1e5kI+2MoQR1ioA==
X-Received: by 2002:a5d:400e:: with SMTP id n14mr2911146wrp.75.1597091086812; Mon, 10 Aug 2020 13:24:46 -0700 (PDT)
Received: from [172.26.49.35] (pub-corp-42-8.intuit.com. [91.102.42.8]) by smtp.gmail.com with ESMTPSA id p6sm21626062wru.33.2020.08.10.13.24.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Aug 2020 13:24:46 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.39.20071300
Date: Mon, 10 Aug 2020 23:24:44 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: secdir@ietf.org, cbor@ietf.org, draft-ietf-cbor-7049bis.all@ietf.org, last-call@ietf.org
Message-ID: <D3AA9975-187F-485A-A13E-6A878607DBCF@gmail.com>
Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-cbor-7049bis-14
References: <159705005508.2366.4819563096010229406@ietfa.amsl.com> <B3108FFC-319E-4D8B-8DF4-A866585781DE@island-resort.com>
In-Reply-To: <B3108FFC-319E-4D8B-8DF4-A866585781DE@island-resort.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3679946685_595924970"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/DA6v8GwrwKxNmw-3viZU1-2Y9xw>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-cbor-7049bis-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 20:24:50 -0000

On Aug 10, 2020, at 2:00 AM, Yaron Sheffer via Datatracker <noreply@ietf.org> wrote:

 

Upon a quick read, it is not even clear to me which parts of Sec. 5
are required/expected in a validating-mode decoder.

 

A generic decoder can do as little or as much validity checking as it wants to. What is required is that it documents what validity checking it does not do and that it does not prevent the user of the generic decoder from doing the validity checks.

 

The reason for this is that some validity checking is expensive for a CBOR decoder and is inexpensive for the consumer of the data. Checking the validity of UTF-8 or MIME-encoded messages are examples of this.

 

LL

 

I understand that, but realistically, without a list of (potential) validity checks in the RFC, there will be wide variance in what is documented by decoders – if any. In fact I checked a few implementations just now, and most of them do not document what validity checks they perform. Those that document something are hard to compare. If you make a canonical list, people would have a starting point.

 

Thanks,

                Yaron

v2.23.0 | Report a Bug | By Email