On 2020-08-11, at 21:14, Yaron Sheffer <yaronf.ietf@xxxxxxxxx> wrote: > >> >> I understand that, but realistically, without a list of (potential) validity checks in the RFC, there will be wide variance in what is documented by decoders – if any. In fact I checked a few implementations just now, and most of them do not document what validity checks they perform. Those that document something are hard to compare. If you make a canonical list, people would have a starting point. > > To be fair, you probably checked RFC 7049 implementations, and RFC 7049 didn’t have such a requirement (improving the discussion of validity was one of the major work items in 7049bis, see Appendix G.3). > > One point to keep in mind is that, with CBOR, most validity processing happens in the processing of tags, and that is an extension point. So a list in 7049bis will never be complete. Even if it only covers base CBOR and the tags registered in 7049/7049bis, a detailed version is likely to be tedious and highly dependent of specific implementation approaches. > > Trying to imagine the outcome of this exercise, my visual image right now is a PICS Proforma, so I think I’ll better stop here... > > Grüße, Carsten > > Hi Carsten, > > You are addressing this issue from the point of view of a spec writer, I suggest you take the POV of the implementer, I took the view of the implementer of a generic decoder (which I happen to also be IRL), faced with a PICS Proforma. Just in case that term doesn’t already send you running for the hills, there are some standards that come with a [not so] little word document that you are supposed to fill in to describe what your implementation of that standard really does. > the user of a decoder. Those people are not CBOR experts, and when faced with free-form and probably terse documentation of a decoder's validity checking would never know what they need to consider to add as application-level checking. I certainly can agree with that. Still, I would like to learn about other places where IETF has done something like that, so we can learn from those efforts. > I realize that tags are an extension point, but if we are to avoid decoding-related vulnerabilities, I suggest you list validity checks for the base CBOR and tags in RFC7049+bis. Would that also be a good thing for a separate document, possibly including more tags? Grüße, Carsten -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
