Return-Path: <cabo@tzi.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by ietfa.amsl.com (Postfix) with ESMTP id 30127C1DA2F3;
	Wed,  3 Jul 2024 13:14:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level: 
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
	RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001,
	SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001,
	URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001]
	autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194])
	by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id DspRGgJqTHym; Wed,  3 Jul 2024 13:13:56 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [134.102.50.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ietfa.amsl.com (Postfix) with ESMTPS id AE1E3C14F708;
	Wed,  3 Jul 2024 13:13:55 -0700 (PDT)
Received: from [192.168.217.145] (p5089ae14.dip0.t-ipconnect.de
 [80.137.174.20])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4WDrZm4SKgzDCbr;
	Wed,  3 Jul 2024 22:13:52 +0200 (CEST)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <171681904824.4732.13257098186796399236@ietfa.amsl.com>
Date: Wed, 3 Jul 2024 22:13:52 +0200
X-Mao-Original-Outgoing-Id: 741730432.103564-aa6bee90812f31508ce1cd8a57f2c8f8
Content-Transfer-Encoding: quoted-printable
Message-Id: <C0005A9A-8878-47F7-8CB0-01C8F825A8AC@tzi.org>
References: <171681904824.4732.13257098186796399236@ietfa.amsl.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Message-ID-Hash: V5WUMCHHAJB36ROQNTSZGYGXPZOPEC33
X-Message-ID-Hash: V5WUMCHHAJB36ROQNTSZGYGXPZOPEC33
X-MailFrom: cabo@tzi.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-secdir.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, cbor@ietf.org, draft-ietf-cbor-edn-literals.all@ietf.org,
 last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: =?utf-8?q?=5Bsecdir=5D_Re=3A_=5BCbor=5D_Secdir_last_call_review_of_draft-iet?=
	=?utf-8?q?f-cbor-edn-literals-09?=
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/secdir/cxrjQS92GItUZG4G7-NBHqcfE7I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

On 2024-05-27, at 16:10, Rifaat Shekh-Yusef via Datatracker =
<noreply@ietf.org> wrote:
>=20
> This document describes how to add application specific extensions to =
EDN. The
> security section of this draft does not discuss the implication of =
this
> directly, but instead points to RFC8610 and RFC8949. Because, as =
stated above,
> these diagnostics are not meant to be parsed, this document implies =
that there
> are no new security implications associated with these new extensions.
>=20
> If this is the case, it would be nice to add a sentence or two to help =
the
> reader get to this conclusion directly, instead of just pointing the =
reader to
> the other documents.

Hi Rifaat,

thank you for pointing out this gap.
Extensions exercising these extension points can very well have their =
own security considerations, as exemplified already by the next two =
application-extensions in the pipeline, e=E2=80=99=E2=80=99 and =
ref=E2=80=99=E2=80=99 [1].

[1]: =
https://www.ietf.org/archive/id/draft-ietf-cbor-edn-e-ref-00.html#name-sec=
urity-considerations

We added some text about this in PR #50 [50], explaining how tool =
implementers and operators may need to be considerate of security =
implementations posed by the extensions they support.

[50]: https://github.com/cbor-wg/edn-literal/pull/50/files

This PR is merged and slated to be part of the next revision =
draft-ietf-cbor-edn-literal-10.

Gr=C3=BC=C3=9Fe, Carsten