Re: [secdir] secdir review of draft-ietf-jsonbis-rfc7159bis-03

Julian Reschke <> Wed, 08 March 2017 07:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 794D1129638; Tue, 7 Mar 2017 23:40:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tzJ8W64Eygl1; Tue, 7 Mar 2017 23:39:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 66A4D129613; Tue, 7 Mar 2017 23:39:58 -0800 (PST)
Received: from [] ([]) by (mrgmx102 []) with ESMTPSA (Nemesis) id 0LdKs1-1c34dz37uD-00iXAJ; Wed, 08 Mar 2017 08:39:50 +0100
To: Benjamin Kaduk <>,,,, "" <>
References: <>
From: Julian Reschke <>
Message-ID: <>
Date: Wed, 8 Mar 2017 08:39:50 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:EYTmLyyauoZDVxPqbNB2Y4XlnUQetAOq4i6nJRmPvAmRmgckyl/ rrbKcjiAhgBVcTX4R1MVAGl/U+fgjAEOtLdTMYuH1hBXwQVSexVgZphDBxJB8xRWTTM0kqr mEU1XhEPYbjibmKD1MlFnkHDudg6Rc/rGrZk5JKbUnj/n+Loc6xWgBfiPBCg/JBIRHY+Hcb D126Hj/HE1Gw5zpVeV3Xg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:perBMTujxkg=:r5rO1SlULzgIB8MUe1Ulb+ DVIjAQa52p1q/gvO9wIegLcEcGSwXrDsbgxkF+LHagkaqCK+vtEyDyE+JdL6REDC4bFIGhrnx xsxm4QShfHf5hDZcR5zAHJ9bVYMoRFMkQnkaAWM8/kJS1eax9PTOwQu7bo7hmYKzHvkhYeFIH YV5YFqBcX6udcN4qb8Fg1MKxnEML0KZj+2UI4z/GGUaqWHChdlUHHH+Lcu/DYQhtXWWeu03Xh YybWCFeUYBWOwF4Z5b/YYKwje0CazsoJN+eE9z3uO6BGBcljI21ezN/Y7khgfv4QvvPoypCLp Nx57ObEhrrlMG++qMPLfZnYLWqJ3A/Tb09PBPV4r6k6cxhjdkvW9mBpq5F8zVll5VSP+wuQED f/Z7tNyLk0QT7g3Jo3i3yStgdGOlKf87k71vHo1LN/G9Eyqp46qgSMHlNvgspfjvSoVMlUnQb wzVCKPQnoEbKBp9xvrPxs9UJ0Ozf+L9D3C2Ekw0+hF+ETYeSUBm0bbuPEAtpreIift4pd+Grj ruLsiJTW3G6ZO+mTNZYoPgW7RN+6vTnjXG1LaaQrneZ9Uv9kQkKJCnoS9eutTqxjOY3/7VWD1 E31NQNjBWsA0bBPcwrCwMCAO32LXJhSUz+UlGWEhVABcjZxaJldlZYQ7FmVItzOAC9K+HiSd1 wq1IEcH2M3tD16GybBDcRstMbHg2pDcE9YxQ7zyIOVdNdCudsN/25fLcmViQPQ4jFyHBImUFJ 9jMGmXHnUfDT4f4H2x41UilmSLgNWmBBa6cBFkmlLBFhSfehwNg2c371MDUxheUVhoYINYs2A r5rLBCZs26VrU9VdJWf8qb0oPDqNUZRi6nDC15KPMOjHRcEm0jL1Z1nC12tru1xSvkTSeiE07 c1svbH6/bQHlyIEKwR43rgM6dkjIiT4qFnFXw92SSMneOE0yOHBS/9/guKv/gk9fQSzD4PFf9 0KU0+cp2Pj/knCM2w4govzRbZ1LRKPwpaebtIozOnugnqIoaxeVvxZLvJlRSN3Oua3aD0dfqZ 1BE1S1CmeVoLYSR9BJJZxuo=
Archived-At: <>
Subject: Re: [secdir] secdir review of draft-ietf-jsonbis-rfc7159bis-03
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Mar 2017 07:40:00 -0000

On 2017-03-08 02:48, Benjamin Kaduk wrote:
> I'm also concerned about the freewheeling use of Unicode.  While
> this document does discuss the potential encodings and lists UTF-8
> as the default (and most interoperable), I think it would benefit
> from a stricter warning that parties using JSON for communication
> must have some out-of-band way to agree on what encoding is to be
> used.  I would expect that this is usually going to be done by the
> protocol using JSON, but could see a place for the actual
> communicating peers to have out-of-band knowledge.  (An application
> having to guess what encoding is being used based on heuristics is a
> recipe for disaster.)
> ...

AFAIU, there is no need for out-of-band knowledge (which would be very 
bad). Recipients are supposed to inspect the payload and detect which of 
the three encoding was used.

That said, we probably should make that clearer.

 > ...
> I'm also rather curious about the claim that no "charset" parameter
> is needed as it "really has no effect on compliant recipients".  Why
> is this not a good way to communicate whether UTF-8, UTF-16, or
> UTF-32 is in use for a given text?
> ...

It might have been, but that's now how it is implemented.

Best regards, Julian