Re: [secdir] secdir review of draft-ietf-json-text-sequence-11

Carl Wallace <carl@redhoundsoftware.com> Wed, 24 December 2014 20:43 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6200C1A1AA1 for <secdir@ietfa.amsl.com>; Wed, 24 Dec 2014 12:43:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxaTE3Lo2Vuv for <secdir@ietfa.amsl.com>; Wed, 24 Dec 2014 12:43:07 -0800 (PST)
Received: from mail-qc0-f179.google.com (mail-qc0-f179.google.com [209.85.216.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED8561A1A97 for <secdir@ietf.org>; Wed, 24 Dec 2014 12:43:06 -0800 (PST)
Received: by mail-qc0-f179.google.com with SMTP id c9so6063195qcz.24 for <secdir@ietf.org>; Wed, 24 Dec 2014 12:43:06 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=5vgHXLYTDb74R5JbtC68jWdgPWQtUEcfGbI2UmdNOxE=; b=YXHnPsSVJHf47WUo2xhIecr2CqcUDEte8e/mgl02bMlTzQoDZG9XVqsKrn/WnW6lFd RZJ9OOvQfuxVyO4PJ1uqbYVLHNyugtkyvrdyoArwGCSD0ob4D57qyANOCpcsEoYTZxdn olgEIcB/MhxVIY/Ya/YkaT6+xwgOTqThNlhymQDDINexrx/X5F0Yr45JW5wVeIUTkzB/ 1k3bKeduGaU5Z6zCDu8sci3CG02m/WL+h4f0eDqfvcBr1X+f7yx3Nw5WBTdNYg0CrpVQ pJR+zdx67QUshC2SvPL3+6XGmkKxnX9FaV/NTOVFLPa6jqqIty9Q2jXavSdrvo0Sy/1Q IQuA==
X-Gm-Message-State: ALoCoQlKwi8aJnDQPbygK5WYICUnQfQCLI0ftW7ATIrePt4zeoxGoH1eeO2cTZ8M4ANKQM3hXtMR
X-Received: by 10.224.135.193 with SMTP id o1mr57365537qat.97.1419453786199; Wed, 24 Dec 2014 12:43:06 -0800 (PST)
Received: from [192.168.1.8] (pool-173-79-132-199.washdc.fios.verizon.net. [173.79.132.199]) by mx.google.com with ESMTPSA id g103sm1430206qgd.41.2014.12.24.12.43.03 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 24 Dec 2014 12:43:05 -0800 (PST)
User-Agent: Microsoft-MacOutlook/14.4.7.141117
Date: Wed, 24 Dec 2014 15:42:59 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Nico Williams <nico@cryptonector.com>
Message-ID: <D0C08E72.29F41%carl@redhoundsoftware.com>
Thread-Topic: [secdir] secdir review of draft-ietf-json-text-sequence-11
References: <D0B5C964.2954A%carl@redhoundsoftware.com> <20141216174829.GZ3241@localhost> <D0B5DC2E.295DB%carl@redhoundsoftware.com> <20141216193707.GE3241@localhost> <D0B5F9D2.29691%carl@redhoundsoftware.com> <20141216213533.GI3241@localhost> <D0B64568.29705%carl@redhoundsoftware.com> <20141217185523.GA3241@localhost> <20141217234113.GH9443@localhost> <D0B82B77.29907%carl@redhoundsoftware.com> <20141219004305.GB12662@localhost> <D0B97E0A.29A35%carl@redhoundsoftware.com>
In-Reply-To: <D0B97E0A.29A35%carl@redhoundsoftware.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Rko934eBeaDNGookRBBfnfjAUT8
Cc: draft-ietf-json-text-sequence@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-json-text-sequence-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 20:43:08 -0000

The new text in the security considerations creates a misimpression that
signature problems require “repeated parsing and re-encoding”.  I suggest
the following mods to the current text to remove this misimpression:

Current:
Repeated parsing and re-encoding of a JSON text sequence can result in the
addition (or stripping) of trailing LF bytes from (to) individual sequence
element JSON texts.  This can break signature validation.  JSON has no
canonical form for JSON texts, therefore neither does the JSON text
sequence format.


Suggested:
Encoding a JSON text sequence will result in the addition of a trailing LF
byte to individual sequence element JSON texts.  This can break signature
validation.  JSON has no canonical form for JSON texts, therefore neither
does the JSON text sequence format.




On 12/19/14, 7:03 AM, "Carl Wallace" <carl@redhoundsoftware.com>; wrote:

>On 12/18/14, 7:43 PM, "Nico Williams" <nico@cryptonector.com>; wrote:
>
>><large snip>
>>
>>Integrity mechanisms are out of scope in this document.
>
>OK
>
>><large snip>
>>The upcoming -12 notes the ambiguities and lack of integrity mechanism
>>support.  I propose no further changes regarding how and whether to
>>detect if a trailing LF was added by a sequence encoder or not, or
>>whether to pass it to the JSON text parser.
>
>OK