I think David's reply nailed what the WG should do:

1. recommend minimizing the code associated with parsing untrusted data.
(like https://www.w3.org/TR/webauthn-3/#clientdatajson-serialization )
2. recommend verifying data before parsing it whenever possible.

The rest is just context that was provided to motivate these
recommendations (which I believe are not controversial)

This guidance could just as easily be applied to ASN.1 or CBOR parsers, but
since they are not relevant to SD-JWT... that's off topic for this thread
imo.

OS

On Sun, Oct 15, 2023 at 10:43 AM Brian Campbell <bcampb...@pingidentity.com>
wrote:

>
> On Fri, Oct 13, 2023 at 3:53 PM Orie Steele <orie@transmute.industries>
> wrote:
>
>> Inline (and sorry for repeating points / rambling) :
>>
>
> No need to apologize.
>
> It is, however, difficult (for me anyway) to engage with all this in a way
> that feels productive. Honestly, I've read through the whole thread many
> many times trying to figure out how/where to chime in, argue/nitpick,
> agree/disagree, etc. and find myself lost or overwhelmed by the prospect.
> So I'm going to try and bring it back up a bit.
>
> I don't think we actually disagree on much in principle here. Rather about
> what can or should be said or done about it at the level of the SD-JWT
> document. The overwhelming majority of this thread has been about JWS/JWT
> more generally and not specific to SD-JWT. Even at the SD-JWT doc level - I
> don't disagree that having some considerations that state the general
> security principle, so that implementers can be aware of it, would be
> okay/useful. I just believe that what's said should be relevant, useful,
> realistic, etc. in the context and not distracting, alarmist, or
> impractical.
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*



-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to