I think David's reply nailed what the WG should do: 1. recommend minimizing the code associated with parsing untrusted data. (like https://www.w3.org/TR/webauthn-3/#clientdatajson-serialization ) 2. recommend verifying data before parsing it whenever possible.
The rest is just context that was provided to motivate these recommendations (which I believe are not controversial) This guidance could just as easily be applied to ASN.1 or CBOR parsers, but since they are not relevant to SD-JWT... that's off topic for this thread imo. OS On Sun, Oct 15, 2023 at 10:43 AM Brian Campbell <bcampb...@pingidentity.com> wrote: > > On Fri, Oct 13, 2023 at 3:53 PM Orie Steele <orie@transmute.industries> > wrote: > >> Inline (and sorry for repeating points / rambling) : >> > > No need to apologize. > > It is, however, difficult (for me anyway) to engage with all this in a way > that feels productive. Honestly, I've read through the whole thread many > many times trying to figure out how/where to chime in, argue/nitpick, > agree/disagree, etc. and find myself lost or overwhelmed by the prospect. > So I'm going to try and bring it back up a bit. > > I don't think we actually disagree on much in principle here. Rather about > what can or should be said or done about it at the level of the SD-JWT > document. The overwhelming majority of this thread has been about JWS/JWT > more generally and not specific to SD-JWT. Even at the SD-JWT doc level - I > don't disagree that having some considerations that state the general > security principle, so that implementers can be aware of it, would be > okay/useful. I just believe that what's said should be relevant, useful, > realistic, etc. in the context and not distracting, alarmist, or > impractical. > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth