Re: [Last-Call] Secdir last call review of draft-ietf-cbor-7049bis-14

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Aug 10, 2020, at 2:00 AM, Yaron Sheffer via Datatracker <noreply@xxxxxxxx> wrote:

 

Upon a quick read, it is not even clear to me which parts of Sec. 5
are required/expected in a validating-mode decoder.

 

A generic decoder can do as little or as much validity checking as it wants to. What is required is that it documents what validity checking it does not do and that it does not prevent the user of the generic decoder from doing the validity checks.

 

The reason for this is that some validity checking is expensive for a CBOR decoder and is inexpensive for the consumer of the data. Checking the validity of UTF-8 or MIME-encoded messages are examples of this.

 

LL

 

I understand that, but realistically, without a list of (potential) validity checks in the RFC, there will be wide variance in what is documented by decoders – if any. In fact I checked a few implementations just now, and most of them do not document what validity checks they perform. Those that document something are hard to compare. If you make a canonical list, people would have a starting point.

 

Thanks,

                Yaron

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux