Telechat Review of draft-ietf-json-rfc4627bis-09
review-ietf-json-rfc4627bis-09-secdir-telechat-gondrom-2013-12-19-00

Request Review of draft-ietf-json-rfc4627bis
Requested rev. no specific revision (document currently at 10)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2013-12-17
Requested 2013-12-12
Other Reviews Genart Last Call review of -07 by Elwyn Davies (diff)
Genart Telechat review of -09 by Elwyn Davies (diff)
Secdir Last Call review of -07 by Tobias Gondrom (diff)
Review State Completed
Reviewer Tobias Gondrom
Review review-ietf-json-rfc4627bis-09-secdir-telechat-gondrom-2013-12-19
Posted at https://www.ietf.org/mail-archive/web/secdir/current/msg04485.html
Reviewed rev. 09 (document currently at 10)
Review result Has Issues
Last updated 2013-12-19

Review
review-ietf-json-rfc4627bis-09-secdir-telechat-gondrom-2013-12-19



Hi all, 





      I re-reviewed the new doc version and did not see any changes
      related to my comments nor did I receive any direct replies from
      the authors. 


      (note: this might well be due to some technical errors on the IETF
      mail server, which I think is fixed now.)


      As I am not sure whether my review email was received by the
      authors, here it is again. 





      Best regards, Tobias











      as I am not sure whether these 





      On 06/12/13 19:29, Tobias Gondrom wrote:










Hi all, 


        as it seems my previous review email was not relayed to the
        secdir and iesg mailing-lists. Here it is again. 


        Best regards, Tobias








        On 25/11/13 23:50, Tobias Gondrom wrote:










I have reviewed this document as part of the
          security directorate's ongoing effort to review all IETF
          documents being processed by the IESG.  These comments were
          written primarily for the benefit of the security area
          directors.  Document editors and WG chairs should treat these
          comments just like any other last call comments.








          The document updates RFC4627 and aims for 

 Standards Track. 


            It is about the JSON Data Interchange Format







This
              document appears ready for publication. 





            It is good that we make the effort to incorporate the
            existing errata into an updated RFC. 





            Some small nits / thoughts (as comments, none of them a
            discuss): 


            - section 1: you briefly explain strings, objects and
            arrays. Do you maybe also want to make a brief statement
            about the range of allowed numbers or point towards section
            6? (though this is not absolutely necessary as you discuss
            the data types in more detail in section 4-7).  





            - section 12.  Security Considerations: 


            second paragraph: the point about the "eval()" function is a
            bit shallow, it might be useful to discuss this a bit more
            and to spell out what would be best practice instead of "use
            that language's "eval()" function to parse JSON texts." as
            that "generally constitutes an unacceptable security risk"





            - section 1 or 2: 


            it might be useful to spell out what exactly the most
            important changes are in comparison to 4627 and why. Or
            mention that this would be discussed in detail in Appendix
            A. 








            Best regards, Tobias