Re: [secdir] secdir review of draft-ietf-json-text-sequence-11

Nico Williams <> Fri, 19 December 2014 00:43 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A0BAF1ACC72; Thu, 18 Dec 2014 16:43:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KCelmZL39M1L; Thu, 18 Dec 2014 16:43:11 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 668221ACAD8; Thu, 18 Dec 2014 16:43:11 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id F2C0031805C; Thu, 18 Dec 2014 16:43:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s=; bh=qZqkJNFfKapsgEGSsxAqnJMkWwM=; b=y0wSuYKxiNi z4kPocj6ffpDMugObfZuz4JQom5SAykuUdPzFPEkHAtEnBdPmzEJkdDhCi/QdwbR hGIaMXQ1m1LPglkBGhjFSO5K0yB2Yg58rwsGge3s7Ui2SSuibeFkK0/dT3y4/WzS I+d1GiSGbGjMGoXH1fibOjfUNPibLsjU=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id 90264318059; Thu, 18 Dec 2014 16:43:10 -0800 (PST)
Date: Thu, 18 Dec 2014 18:43:10 -0600
From: Nico Williams <>
To: Carl Wallace <>
Message-ID: <20141219004305.GB12662@localhost>
References: <> <20141216174829.GZ3241@localhost> <> <20141216193707.GE3241@localhost> <> <20141216213533.GI3241@localhost> <> <20141217185523.GA3241@localhost> <20141217234113.GH9443@localhost> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Subject: Re: [secdir] secdir review of draft-ietf-json-text-sequence-11
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Dec 2014 00:43:12 -0000

On Thu, Dec 18, 2014 at 07:12:34AM -0500, Carl Wallace wrote:
> The suggestion is not to tolerate a missing <LF> but to not always add
> them in the text sequence encoder in the first place. The <LF> addition

They can be tolerated in the parser.  Logging applications that encode
sequences correctly might nonetheless be subject to truncation of
sequence elements (including RS and trailing LF bytes) while
incrementally encoding a sequence, followed by additional elements being
added later (again, O_APPEND...).

Aside: if we'd never considered truncation we also wouldn't have needed
RS bytes, just trailing LF bytes, and optional ones at that (which is
exactly what implements and has for a long
time now).  The problem with truncation is that there was no way to
figure out how to resync a parser, therefore no way to make it tolerate
truncation, not without RS, which in turn makes RS-less sequences not so
useful for logging applications.  We could abandon this, but several
people expressed the need for this format only when this was addressed,
and I do believe using RS (or similar) is better than not.

> would essentially be an extension of the JSON text encoder (albeit
> implemented in the text sequence encoder).  There would be no ambiguity.

No extensions of the JSON text encoder can be had here, not even
notional ones.  We're not updating RFC7159, not even implicitly.

Off-the-shelf JSON text parsers and encoders must be sufficient to
implement JSON text sequence parsers and encoders.

> The parser would always leave it in. Where integrity mechanisms are used,

Whether the parser leaves it in or not is unimportant.  What's important
is that the parser uses it to detect truncation of JSON texts that can
be truncated and still be valid but _different_ from the original.

As noted, ambiguities result from this looseness about how the trailing
LFs are handled.  These are noted in the security considerations section
in the upcoming -12.  That should suffice.

> the auto-<LF> would need to be turned off and the source responsible for
> properly terminating inputs to the text sequence encoder.

Integrity mechanisms are out of scope in this document.

> Thinking more about stripping out the <LF>, that won’t always work either
> for the same reason you have the parser reject non-self-delimited texts
> that do not end with a <LF>. The text sequence encoder could terminate
> before the <LF> is written possibly leaving a <LF> added by the source
> exposed (and removed by a decoder). The parser really can’t know if the
> JSON encoder or JSON text sequence encoder added a trailing <LF>.

When the sequence parser knows that the encoder of a sequence wasn't
subject to truncation, then the parser can indeed require and remove the
trailing LF.  In other cases it can't.

As JSON texts can have arbitrary amounts of trailing whitespace,
integrity mechanisms are out of scope, and JSON texts have no canonical
form (and are subject to being changed when parsed then re-encoded
without meaningful modification to the parsed value), there's no need to
concern ourselves further with this matter.

The upcoming -12 notes the ambiguities and lack of integrity mechanism
support.  I propose no further changes regarding how and whether to
detect if a trailing LF was added by a sequence encoder or not, or
whether to pass it to the JSON text parser.