Re: [secdir] [EXTERNAL] Secdir last call review of draft-ietf-jsonpath-iregexp-06
Carsten Bormann <cabo@tzi.org> Thu, 25 May 2023 10:59 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19456C151B0C; Thu, 25 May 2023 03:59:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nb__ARPETpge; Thu, 25 May 2023 03:59:19 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F463C151B15; Thu, 25 May 2023 03:59:12 -0700 (PDT)
Received: from [192.168.217.124] (p548dc0f6.dip0.t-ipconnect.de [84.141.192.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4QRlRc1vw1zDCj5; Thu, 25 May 2023 12:59:08 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CH0PR11MB57396636498D34CC633E2C3F9F789@CH0PR11MB5739.namprd11.prod.outlook.com>
Date: Thu, 25 May 2023 12:59:07 +0200
Cc: Tim Bray <tbray@textuality.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-jsonpath-iregexp.all@ietf.org" <draft-ietf-jsonpath-iregexp.all@ietf.org>, "jsonpath@ietf.org" <jsonpath@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
X-Mao-Original-Outgoing-Id: 706705147.775161-e5aad5f87575051740da0ffb7d7d3135
Content-Transfer-Encoding: quoted-printable
Message-Id: <82B020F8-5B25-4F7D-9824-A9E0615BC10C@tzi.org>
References: <168416383998.50512.953102690552943438@ietfa.amsl.com> <CAHBU6iuKKp3g_HbhgaZT8CcStQBKoaHOcdf9ogku=bftYt5wgA@mail.gmail.com> <CH0PR11MB57396636498D34CC633E2C3F9F789@CH0PR11MB5739.namprd11.prod.outlook.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Z9-zAVOt-0YnOQAT9sPOlh8Ez9s>
Subject: Re: [secdir] [EXTERNAL] Secdir last call review of draft-ietf-jsonpath-iregexp-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 10:59:22 -0000
Hi Mike, > On 2023-05-15, at 18:40, Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote: > > If you put any sort of paragraph to that effect, then I’ll be happy. Actually, this thread turned into a number of new paragraphs. In PR #27 [1], new text has been added specifically about resource consumption (time and space) based attacks. This text is a bit longer than I wanted because it has to distinguish the two cases I-Regexp specific implementation vs. re-use of existing Regexp implementation, and there is no simple perfect way to handle twisted applications of range-quantifiers. Thanks to Martin Dürst for preparing much of this text in his original comment. PR #26 [2] picks up the comments made by Rob Sayre and generalizes the concerns in a way that is useful in this specification. We now reference STD 63 (RFC 3629), interestingly as an informative reference, as this discusses related issues in more detail than would fit this specification. Thank you for getting this thread started with your comment! Comments on the two PRs will be appreciated. Grüße, Carsten [1]: https://github.com/ietf-wg-jsonpath/iregexp/pull/27 [2]: https://github.com/ietf-wg-jsonpath/iregexp/pull/26
- [secdir] Secdir last call review of draft-ietf-js… Mike Ounsworth via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Tim Bray
- Re: [secdir] [EXTERNAL] Re: Secdir last call revi… Mike Ounsworth
- Re: [secdir] [Jsonpath] Secdir last call review o… Greg Dennis
- Re: [secdir] [Jsonpath] Secdir last call review o… Martin J. Dürst
- Re: [secdir] [Last-Call] [Jsonpath] Secdir last c… Rob Sayre
- Re: [secdir] [Last-Call] [Jsonpath] Secdir last c… Rob Sayre
- Re: [secdir] [EXTERNAL] Secdir last call review o… Carsten Bormann
- Re: [secdir] [EXTERNAL] Secdir last call review o… Mike Ounsworth