>
> I understand that, but realistically, without a list of (potential) validity checks in the RFC, there will be wide variance in what is documented by decoders – if any. In fact I checked a few implementations just now, and most of them do not document what validity checks they perform. Those that document something are hard to compare. If you make a canonical list, people would have a starting point.
To be fair, you probably checked RFC 7049 implementations, and RFC 7049 didn’t have such a requirement (improving the discussion of validity was one of the major work items in 7049bis, see Appendix G.3).
One point to keep in mind is that, with CBOR, most validity processing happens in the processing of tags, and that is an extension point. So a list in 7049bis will never be complete. Even if it only covers base CBOR and the tags registered in 7049/7049bis, a detailed version is likely to be tedious and highly dependent of specific implementation approaches.
Trying to imagine the outcome of this exercise, my visual image right now is a PICS Proforma, so I think I’ll better stop here...
Grüße, Carsten
Hi Carsten,
You are addressing this issue from the point of view of a spec writer, I suggest you take the POV of the implementer, the user of a decoder. Those people are not CBOR experts, and when faced with free-form and probably terse documentation of a decoder's validity checking would never know what they need to consider to add as application-level checking.
I realize that tags are an extension point, but if we are to avoid decoding-related vulnerabilities, I suggest you list validity checks for the base CBOR and tags in RFC7049+bis.
Thanks,
Yaron
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
