IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-cbor-7049bis-14

Laurence Lundblade <lgl@island-resort.com> Mon, 10 August 2020 20:33 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54B243A0D45 for <secdir@ietfa.amsl.com>; Mon, 10 Aug 2020 13:33:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4HgFDSH18Bg for <secdir@ietfa.amsl.com>; Mon, 10 Aug 2020 13:33:41 -0700 (PDT)
Received: from p3plsmtpa06-04.prod.phx3.secureserver.net (p3plsmtpa06-04.prod.phx3.secureserver.net [173.201.192.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4805D3A0D3A for <secdir@ietf.org>; Mon, 10 Aug 2020 13:33:41 -0700 (PDT)
Received: from [192.168.1.78] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id 5ES5khEwTIGql5ES5kTCjl; Mon, 10 Aug 2020 13:31:26 -0700
X-CMAE-Analysis: v=2.3 cv=DMrxHBFb c=1 sm=1 tr=0 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=pGLkceISAAAA:8 a=48vgC7mUAAAA:8 a=LrfFbBZ_wH084i7_Up0A:9 a=QEXdDO2ut3YA:10 a=-RC9aWaX5pnV8SCgf80A:9 a=FkYPizaky_nWIz-_:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <CB9B5E79-B3CA-491F-A30A-5A0B4E08E064@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0F3FBFC2-638C-4BCC-B7FB-140628B61867"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 10 Aug 2020 13:31:25 -0700
In-Reply-To: <D3AA9975-187F-485A-A13E-6A878607DBCF@gmail.com>
Cc: secdir@ietf.org, cbor@ietf.org, draft-ietf-cbor-7049bis.all@ietf.org, last-call@ietf.org
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <159705005508.2366.4819563096010229406@ietfa.amsl.com> <B3108FFC-319E-4D8B-8DF4-A866585781DE@island-resort.com> <D3AA9975-187F-485A-A13E-6A878607DBCF@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfKN/6HdOYYBE+KfQcZObCH+tvjgMdeoFo8uPNc8ZdjbzNH/yF0EU2G2E7c6sErcBvJOjFzD8vZzEMULk3qtUlJvGYVR8r0NRys7mS44H0YMQg8s+Pyzy GvNIiKcbTIdF4GQuR0PSpeGnkxHgBwhFzHIE0eLyfLtoGbolzHOMYaWQGUDP6Y9fiNwdnirSNVL9iBd3RrrrNGFtbjal/OGzTTT+mOQE4ccpR+Y0oBdhB2vk vFvTtRxe19PUkN+1/IhjdZsbvyLNcB6RGT7B1wzueVD/sicNfdqvYDTrQtkl1aEhht7241sgzoy7y/34J7mbsw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/I_grARl_7GvOnPfLHschBdqgqYY>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-cbor-7049bis-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 20:33:42 -0000


> On Aug 10, 2020, at 1:24 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
> 
> On Aug 10, 2020, at 2:00 AM, Yaron Sheffer via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
>>  
>> Upon a quick read, it is not even clear to me which parts of Sec. 5
>> are required/expected in a validating-mode decoder.
> 
>  
> A generic decoder can do as little or as much validity checking as it wants to. What is required is that it documents what validity checking it does not do and that it does not prevent the user of the generic decoder from doing the validity checks.
>  
> The reason for this is that some validity checking is expensive for a CBOR decoder and is inexpensive for the consumer of the data. Checking the validity of UTF-8 or MIME-encoded messages are examples of this.
>  
> LL
>  
> I understand that, but realistically, without a list of (potential) validity checks in the RFC, there will be wide variance in what is documented by decoders – if any. In fact I checked a few implementations just now, and most of them do not document what validity checks they perform. Those that document something are hard to compare. If you make a canonical list, people would have a starting point.

Having made a few crude lists of validity checks myself to try to understand what was what, such a list seems reasonable to me.

LL

v2.23.0 | Report a Bug | By Email