Last Call Review of draft-ietf-httpapi-yaml-mediatypes-04
review-ietf-httpapi-yaml-mediatypes-04-secdir-lc-emery-2023-04-03-00
Request | Review of | draft-ietf-httpapi-yaml-mediatypes |
---|---|---|
Requested revision | No specific revision (document currently at 10) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2023-04-10 | |
Requested | 2023-03-20 | |
Authors | Roberto Polli , Erik Wilde , Eemeli Aro | |
I-D last updated | 2023-04-03 | |
Completed reviews |
Artart Last Call review of -04
by Barry Leiba
(diff)
Genart Last Call review of -04 by Elwyn B. Davies (diff) Secdir Last Call review of -04 by Shawn M Emery (diff) Opsdir Last Call review of -04 by Qin Wu (diff) |
|
Assignment | Reviewer | Shawn M Emery |
State | Completed | |
Request | Last Call review on draft-ietf-httpapi-yaml-mediatypes by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/r-J0T-cityZmmxOWh7dOD9ma8lk | |
Reviewed revision | 04 (document currently at 10) | |
Result | Has nits | |
Completed | 2023-04-03 |
review-ietf-httpapi-yaml-mediatypes-04-secdir-lc-emery-2023-04-03-00
This informational draft specifies an IANA registry for the previously unpublished YAML media type and structured syntax suffix. YAML is a data serialization format used for combining one or more documents into one file or network resource. The security considerations section refers to section 4.6 of RFC 6838 and possible exploits regarding arbitrary code execution from YAML tags, DoS through infinite or high recursion, and DoS through the partial processing of YAML streams. I do agree with each of the mitigations prescribed for the aforementioned exploits, but it does seem counterintuitive to me to validate all the documents in the stream before processing. Does this defeat the purpose of streaming? General Comments: The FAQ section helped me to understand why some of these design decisions were made, thank you. Editorial Comments: s/Security considerations: See Section 2.1/Security considerations: See Section 4/ s/impact on the/impact the/ s/serialize it JSON/serialize it in JSON/ s/details: this/details, which/