Hi Chris, Appreciate the feedback.
> On 05 May 2016, at 05:04, Chris Newman <[email protected]> wrote: > > I am opposed to using CBOR. CBOR is not well deployed. Most codebases need > XML and JSON parsers but do not need CBOR parsers. So choosing CBOR > significantly increases the code complexity. My codebase has a JSON and XML > parser but no CBOR parser. I would strongly prefer to keep it that way, so > CBOR would introduce an unnecessary deployment barrier. To be upfront: I'm not, and never have been, a particular fan of CBOR myself. But I think some kind of binary format would be useful. > Binary formats have an extremely poor track record for security-sentive > applications. ASN.1 BER/DER has been an utter disaster for real-world > security in PKIX (there are probably hundreds of CVE reports due to ASN.1 > parser bugs including many in TLS/SSL/PKIX stacks). We should not repeat this > design error in a security-sensitive context again. There're very simple binary formats (CBOR is rather complex). We don't have to use ASN.1 nor BER nor DER. And I would never want to go that way. > JSON parsers are widely used, simple and have been well analyzed for security > usage. They are a good choice for a security sensitive context (excluding the > naive Javascript implementation). Most deployed JSON parsers are > secure-by-default. Do you have any references to the above statement? I'm not sure I'd sign that verbatim. I think a lot of JSON libraries that are out there are completely unaudited, especially for scripting languages. > I think JSON is the best choice for this use case. I can personally live with > XML because I’ve built my own secure-by-default XML-subset parser (which is > about 3x the size/complexity of my JSON parser), but I think it’s an inferior > choice to JSON for security-sensitive applications. While I cared little about the discussion in STS about switching from XML to JSON, I do prefer the latter as well. > If data size is a concern, then deflate is the answer. Deflate is likely to > compress JSON far better than CBOR. While deflate is subject to the security > problems that binary formats have (including several releases with known > security vulnerabilities), I believe it’s been around long enough that > reasonably trustworthy implementations are now available (including current > zlib releases). I’m not convinced data size is a concern. Well. Depending on the channel we use for feedback, DEFLATE might be a poor option: - http://breachattack.com/ - https://www.blackhat.com/docs/asia-16/materials/asia-16-Karakostas-Practical-New-Developments-In-The-BREACH-Attack.pdf Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
