[secdir] Re: [Cbor] Secdir last call review of draft-ietf-cbor-edn-literals-09
Carsten Bormann <cabo@tzi.org> Wed, 03 July 2024 20:14 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30127C1DA2F3; Wed, 3 Jul 2024 13:14:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DspRGgJqTHym; Wed, 3 Jul 2024 13:13:56 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [134.102.50.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE1E3C14F708; Wed, 3 Jul 2024 13:13:55 -0700 (PDT)
Received: from [192.168.217.145] (p5089ae14.dip0.t-ipconnect.de [80.137.174.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4WDrZm4SKgzDCbr; Wed, 3 Jul 2024 22:13:52 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <171681904824.4732.13257098186796399236@ietfa.amsl.com>
Date: Wed, 03 Jul 2024 22:13:52 +0200
X-Mao-Original-Outgoing-Id: 741730432.103564-aa6bee90812f31508ce1cd8a57f2c8f8
Content-Transfer-Encoding: quoted-printable
Message-Id: <C0005A9A-8878-47F7-8CB0-01C8F825A8AC@tzi.org>
References: <171681904824.4732.13257098186796399236@ietfa.amsl.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Message-ID-Hash: V5WUMCHHAJB36ROQNTSZGYGXPZOPEC33
X-Message-ID-Hash: V5WUMCHHAJB36ROQNTSZGYGXPZOPEC33
X-MailFrom: cabo@tzi.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, cbor@ietf.org, draft-ietf-cbor-edn-literals.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: [Cbor] Secdir last call review of draft-ietf-cbor-edn-literals-09
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cxrjQS92GItUZG4G7-NBHqcfE7I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
On 2024-05-27, at 16:10, Rifaat Shekh-Yusef via Datatracker <noreply@ietf.org> wrote: > > This document describes how to add application specific extensions to EDN. The > security section of this draft does not discuss the implication of this > directly, but instead points to RFC8610 and RFC8949. Because, as stated above, > these diagnostics are not meant to be parsed, this document implies that there > are no new security implications associated with these new extensions. > > If this is the case, it would be nice to add a sentence or two to help the > reader get to this conclusion directly, instead of just pointing the reader to > the other documents. Hi Rifaat, thank you for pointing out this gap. Extensions exercising these extension points can very well have their own security considerations, as exemplified already by the next two application-extensions in the pipeline, e’’ and ref’’ [1]. [1]: https://www.ietf.org/archive/id/draft-ietf-cbor-edn-e-ref-00.html#name-security-considerations We added some text about this in PR #50 [50], explaining how tool implementers and operators may need to be considerate of security implementations posed by the extensions they support. [50]: https://github.com/cbor-wg/edn-literal/pull/50/files This PR is merged and slated to be part of the next revision draft-ietf-cbor-edn-literal-10. Grüße, Carsten
- [secdir] Secdir last call review of draft-ietf-cb… Rifaat Shekh-Yusef via Datatracker
- [secdir] Re: [Cbor] Secdir last call review of dr… Carsten Bormann