Re: [secdir] secdir review of draft-ietf-json-rfc4627bis-07

Tobias Gondrom <> Wed, 18 December 2013 15:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D6ED71ADFFC; Wed, 18 Dec 2013 07:55:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.538
X-Spam-Status: No, score=-102.538 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sjEpx2ppis94; Wed, 18 Dec 2013 07:55:52 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0DC781ADFF7; Wed, 18 Dec 2013 07:55:52 -0800 (PST)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=yipxf3hjfOwzbUkDAb4Y1zun+EGOv1ANmsIcRriJLIkIaU2GzKClBqZMh4ZQpC20BdrrUEcaQ19kGmK935PtxKCt+hj1z/kCnVniKm9ApwmKX0lWZEy4CXHIvM5nC28ByKa6PlchFunZb3Q1mwVfkwwBWkeZ5AC+Ai9RS5A/Wdo=; h=X-No-Relay:X-No-Relay:X-No-Relay:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type;
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [] ( []) by (Postfix) with ESMTPSA id 008FC15390052; Wed, 18 Dec 2013 16:55:48 +0100 (CET)
Message-ID: <>
Date: Wed, 18 Dec 2013 15:55:48 +0000
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
Content-Type: multipart/alternative; boundary="------------080001010800070601020407"
Subject: Re: [secdir] secdir review of draft-ietf-json-rfc4627bis-07
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Dec 2013 15:55:55 -0000

Hi all,

I re-reviewed the new doc version and did not see any changes related to
my comments nor did I receive any direct replies from the authors.
(note: this might well be due to some technical errors on the IETF mail
server, which I think is fixed now.)
As I am not sure whether my review email was received by the authors,
here it is again.

Best regards, Tobias

as I am not sure whether these

On 06/12/13 19:29, Tobias Gondrom wrote:
> Hi all,
> as it seems my previous review email was not relayed to the secdir and
> iesg mailing-lists. Here it is again.
> Best regards, Tobias
> On 25/11/13 23:50, Tobias Gondrom wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors.  Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>> The document updates RFC4627 and aims for Standards Track.
>> It is about the JSON Data Interchange Format
>> This document appears ready for publication.
>> It is good that we make the effort to incorporate the existing errata
>> into an updated RFC.
>> Some small nits / thoughts (as comments, none of them a discuss):
>> - section 1: you briefly explain strings, objects and arrays. Do you
>> maybe also want to make a brief statement about the range of allowed
>> numbers or point towards section 6? (though this is not absolutely
>> necessary as you discuss the data types in more detail in section 4-7). 
>> - section 12.  Security Considerations:
>> second paragraph: the point about the "eval()" function is a bit
>> shallow, it might be useful to discuss this a bit more and to spell
>> out what would be best practice instead of "use that language's
>> "eval()" function to parse JSON texts." as that "generally
>> constitutes an unacceptable security risk"
>> - section 1 or 2:
>> it might be useful to spell out what exactly the most important
>> changes are in comparison to 4627 and why. Or mention that this would
>> be discussed in detail in Appendix A.
>> Best regards, Tobias