Heikki Vatiainen <h...@radiatorsoftware.com> wrote: > I haven't worked with CBOR, but I'd be interested to know if, for > example, how careful we need to be with serialiser/deserialiser to > avoid problems similar to exponential expansions attacks [1], etc. TLVs
There are no entities like in XML, so that won't work. CBOR now includes a "packed" format which is essentially a bespoke compression system for CBOR, with the decompressor defined. Encoders (compressors) can be as complicated as one likes. The billion_laughts attack might be possible with packed CBOR, but as a CBOR Protocol user, you would be justified if you just said, "no packed CBOR" -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu