Skip to main content

Telechat Review of draft-ietf-json-rfc4627bis-09

Request Review of draft-ietf-json-rfc4627bis
Requested revision No specific revision (document currently at 10)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2013-12-17
Requested 2013-12-12
Authors Tim Bray
Draft last updated 2013-12-19
Completed reviews Genart Last Call review of -07 by Elwyn B. Davies (diff)
Genart Telechat review of -09 by Elwyn B. Davies (diff)
Secdir Last Call review of -07 by Tobias Gondrom (diff)
Secdir Telechat review of -09 by Tobias Gondrom (diff)
Assignment Reviewer Tobias Gondrom
State Completed
Review review-ietf-json-rfc4627bis-09-secdir-telechat-gondrom-2013-12-19
Reviewed revision 09 (document currently at 10)
Result Has Issues
Completed 2013-12-19

Hi all, 

      I re-reviewed the new doc version and did not see any changes
      related to my comments nor did I receive any direct replies from
      the authors. 

      (note: this might well be due to some technical errors on the IETF
      mail server, which I think is fixed now.)

      As I am not sure whether my review email was received by the
      authors, here it is again. 

      Best regards, Tobias

      as I am not sure whether these 

      On 06/12/13 19:29, Tobias Gondrom wrote:

Hi all, 

        as it seems my previous review email was not relayed to the
        secdir and iesg mailing-lists. Here it is again. 

        Best regards, Tobias

        On 25/11/13 23:50, Tobias Gondrom wrote:

I have reviewed this document as part of the
          security directorate's ongoing effort to review all IETF
          documents being processed by the IESG.  These comments were
          written primarily for the benefit of the security area
          directors.  Document editors and WG chairs should treat these
          comments just like any other last call comments.

          The document updates RFC4627 and aims for 

 Standards Track. 

            It is about the JSON Data Interchange Format

              document appears ready for publication. 

            It is good that we make the effort to incorporate the
            existing errata into an updated RFC. 

            Some small nits / thoughts (as comments, none of them a

            - section 1: you briefly explain strings, objects and
            arrays. Do you maybe also want to make a brief statement
            about the range of allowed numbers or point towards section
            6? (though this is not absolutely necessary as you discuss
            the data types in more detail in section 4-7).  

            - section 12.  Security Considerations: 

            second paragraph: the point about the "eval()" function is a
            bit shallow, it might be useful to discuss this a bit more
            and to spell out what would be best practice instead of "use
            that language's "eval()" function to parse JSON texts." as
            that "generally constitutes an unacceptable security risk"

            - section 1 or 2: 

            it might be useful to spell out what exactly the most
            important changes are in comparison to 4627 and why. Or
            mention that this would be discussed in detail in Appendix

            Best regards, Tobias