[secdir] draft-ietf-appsawg-json-pointer-07 SECDIR Review

Donald Eastlake <d3e3e3@gmail.com> Mon, 31 December 2012 03:11 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D33A21F8C11; Sun, 30 Dec 2012 19:11:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.367
X-Spam-Level:
X-Spam-Status: No, score=-103.367 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id supmuIQ9N4C0; Sun, 30 Dec 2012 19:11:27 -0800 (PST)
Received: from mail-oa0-f48.google.com (mail-oa0-f48.google.com [209.85.219.48]) by ietfa.amsl.com (Postfix) with ESMTP id 0106321F8BC2; Sun, 30 Dec 2012 19:11:26 -0800 (PST)
Received: by mail-oa0-f48.google.com with SMTP id h2so11157020oag.7 for <multiple recipients>; Sun, 30 Dec 2012 19:11:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=tyvxrdVk4piOjHOS55NFIIqj0km72my/XkmybMZfgTo=; b=cZqNab6x6YZtlaaHRL8Vb5nsxczbrX3QloncvidYWpyon7FZ7/L2hGX906ubwrdyMk gfm1cqDHYSGKnN5IrLdtdVAUBi1W2YgAoe5Pw/SoBNC3pPgrUvTp7C+mxMyDl2Y1wNBt bN0GqEFYPMr5uyhdPsQddK8D6NksBbHe5/Wxamx4zV3GN2tqZuzJ9ImONBNt1C2Qvi2n O1whRgjujo+oAezA6E0hGdlXzqDqXPVn7JJOUCW1VjAtA/WNeHhhksLJf4y4wIC9V8l+ wSSHuCmqVOV0Yfe2sYu0+oxD1JXljK9Z7HR6CFXZF282nKeSAKKhd+Ad0+FB2+hl9Irk sGog==
Received: by 10.182.185.12 with SMTP id ey12mr33484314obc.7.1356923486452; Sun, 30 Dec 2012 19:11:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.144.105 with HTTP; Sun, 30 Dec 2012 19:11:05 -0800 (PST)
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Sun, 30 Dec 2012 22:11:05 -0500
Message-ID: <CAF4+nEEDfhv=J_BnXJjj7q2_9tf16RCUpTHspQcky1+F_0JTzA@mail.gmail.com>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-appsawg-json-pointer.all@tools.ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: [secdir] draft-ietf-appsawg-json-pointer-07 SECDIR Review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Dec 2012 03:11:27 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This draft describes two closely related syntaxes for pointers to
objects within a JSON (JavaScript Object Notation) document. One is a
JSON string syntax, the other is a URI fragment identifier for URIs
defined to take such a fragment identifier.

Security:

I do not see any security problems with this document. The syntax
appears to be unambiguously specified, including ABNF, and the
Security Considerations Section is adequate and touches on the
potential pit-falls that JSON pointers can contain NULs.

Miscellaneous:

I found significant ambiguity in the semantics of a JSON pointer
string. Is the result of the successful evaluation ("evaluation" is a
term used in the draft) of such a pointer string a structure that
points into a JSON document or is it the objection pointed to? It
mostly seems to be an object but it is specifically provided that
array references could point beyond the end of an array and at least
in that case perhaps some sort of pointer structure would be returned
with the error condition. It probably doesn't matter, because these
syntaxes are intended to be used in a variety of applications and it
will be up to the application to clarify the semantics.

Minor:

The expansion for the acronym JSON should be given in the title and abstract.

In the first line of the second paragraph of Section 6, I found the
word "nominate" kind of odd. Why not "specify" or "select" or "use"?

None of the Authors Addresses given includes a postal address.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com