Skip to main content

Last Call Review of draft-ietf-httpapi-yaml-mediatypes-04

Request Review of draft-ietf-httpapi-yaml-mediatypes
Requested revision No specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2023-04-10
Requested 2023-03-20
Authors Roberto Polli , Erik Wilde , Eemeli Aro
I-D last updated 2023-04-03
Completed reviews Artart Last Call review of -04 by Barry Leiba (diff)
Genart Last Call review of -04 by Elwyn B. Davies (diff)
Secdir Last Call review of -04 by Shawn M Emery (diff)
Opsdir Last Call review of -04 by Qin Wu (diff)
Assignment Reviewer Shawn M Emery
State Completed
Request Last Call review on draft-ietf-httpapi-yaml-mediatypes by Security Area Directorate Assigned
Posted at
Reviewed revision 04 (document currently at 10)
Result Has nits
Completed 2023-04-03
This informational draft specifies an IANA registry for the previously
unpublished YAML media type and structured syntax suffix.  YAML is a data
serialization format used for combining one or more documents into one file or
network resource.

The security considerations section refers to section 4.6 of RFC 6838 and
possible exploits regarding arbitrary code execution from YAML tags, DoS
through infinite or high recursion, and DoS through the partial processing of
YAML streams.  I do agree with each of the mitigations prescribed for the
aforementioned exploits, but it does seem counterintuitive to me to validate
all the documents in the stream before processing.  Does this defeat the
purpose of streaming?

General Comments:

The FAQ section helped me to understand why some of these design decisions were
made, thank you.

Editorial Comments:

s/Security considerations: See Section 2.1/Security considerations: See Section
4/ s/impact on the/impact the/ s/serialize it JSON/serialize it in JSON/
s/details: this/details, which/