I happened to come across this draft https://datatracker.ietf.org/doc/draft-lemmons-composite-claims/ and noticed this statement:
Composition claims can be nested to an arbitrary level of depth. Implementations MAY limit the depth of composition nesting by rejecting CWTs with too many levels but MUST support at least four levels of nesting. I'm not a COSE expert, but this reminded me of a recursive stack problem attack that could occur in XML documents many years ago without proper mitigations. It might be good to suggest that Implementations SHOULD or even MUST limit the depth appropriate to their application constraints (or something like), or choose a maximum depth limit that makes sense (for example would anyone really need more than 100?). I'm just worried that allowing unlimited nesting depths could cause a naïve parser to explode. Cheers, John Gray Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
