Telechat Review of draft-ietf-json-rfc4627bis-09
review-ietf-json-rfc4627bis-09-secdir-telechat-gondrom-2013-12-19-00
| Request | Review of | draft-ietf-json-rfc4627bis |
|---|---|---|
| Requested revision | No specific revision (document currently at 10) | |
| Type | Telechat Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2013-12-17 | |
| Requested | 2013-12-12 | |
| Authors | Tim Bray | |
| Draft last updated | 2013-12-19 | |
| Completed reviews |
Genart Last Call review of -07
by
Elwyn B. Davies
(diff)
Genart Telechat review of -09 by Elwyn B. Davies (diff) Secdir Last Call review of -07 by Tobias Gondrom (diff) Secdir Telechat review of -09 by Tobias Gondrom (diff) |
|
| Assignment | Reviewer | Tobias Gondrom |
| State | Completed | |
| Review |
review-ietf-json-rfc4627bis-09-secdir-telechat-gondrom-2013-12-19
|
|
| Reviewed revision | 09 (document currently at 10) | |
| Result | Has Issues | |
| Completed | 2013-12-19 |
review-ietf-json-rfc4627bis-09-secdir-telechat-gondrom-2013-12-19-00
Hi all,
I re-reviewed the new doc version and did not see any changes
related to my comments nor did I receive any direct replies from
the authors.
(note: this might well be due to some technical errors on the IETF
mail server, which I think is fixed now.)
As I am not sure whether my review email was received by the
authors, here it is again.
Best regards, Tobias
as I am not sure whether these
On 06/12/13 19:29, Tobias Gondrom wrote:
Hi all,
as it seems my previous review email was not relayed to the
secdir and iesg mailing-lists. Here it is again.
Best regards, Tobias
On 25/11/13 23:50, Tobias Gondrom wrote:
I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF
documents being processed by the IESG. These comments were
written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these
comments just like any other last call comments.
The document updates RFC4627 and aims for
Standards Track.
It is about the JSON Data Interchange Format
This
document appears ready for publication.
It is good that we make the effort to incorporate the
existing errata into an updated RFC.
Some small nits / thoughts (as comments, none of them a
discuss):
- section 1: you briefly explain strings, objects and
arrays. Do you maybe also want to make a brief statement
about the range of allowed numbers or point towards section
6? (though this is not absolutely necessary as you discuss
the data types in more detail in section 4-7).
- section 12. Security Considerations:
second paragraph: the point about the "eval()" function is a
bit shallow, it might be useful to discuss this a bit more
and to spell out what would be best practice instead of "use
that language's "eval()" function to parse JSON texts." as
that "generally constitutes an unacceptable security risk"
- section 1 or 2:
it might be useful to spell out what exactly the most
important changes are in comparison to 4627 and why. Or
mention that this would be discussed in detail in Appendix
A.
Best regards, Tobias