Heikki Vatiainen <h...@radiatorsoftware.com> wrote:
> I haven't worked with CBOR, but I'd be interested to know if, for
> example, how careful we need to be with serialiser/deserialiser to
> avoid problems similar to exponential expansions attacks [1], etc. TLVs
There are no entities like in XML, so that won't work.
CBOR now includes a "packed" format which is essentially a bespoke
compression system for CBOR, with the decompressor defined.
Encoders (compressors) can be as complicated as one likes.
The billion_laughts attack might be possible with packed CBOR, but as a CBOR
Protocol user, you would be justified if you just said, "no packed CBOR"
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
