Forgot to include regext. :) Jasdip
From: Jasdip Singh <[email protected]> Date: Monday, June 30, 2025 at 10:48 AM To: Mario Loffredo <[email protected]> Subject: Re: [regext] Re: RDAP JSContact -21 feedback Hi Mario, From: Mario Loffredo <[email protected]> Date: Monday, June 30, 2025 at 3:46 AM To: Jasdip Singh <[email protected]> Subject: Re: [regext] Re: RDAP JSContact -21 feedback … 7. Security Considerations Couple of redaction methods from RFC 9537 [4] [5] for “uid" are considered. Last we discussed this subject, the JSONPath usage from that RFC seemed problematic. Is there any concern vis-à-vis that? [ML] Honestly, the JSONPath expression pointing to the uid property seems less complex than others including filters to select and redact a jCard property. What's the specific problem here ? [JS] My concern was if the Replacement Value method were to involve “prePath” (e.g., Figure 9 from RFC 9537 where a redacted member (email) is replaced with value in another member (contact-uri)), but that’s not the case for the “uid” replacement where only “postPath” would be involved. You are right; the JSONPath use from RFC 9537 should be safe here. [ML2] JSContact primarily uses maps instead of arrays. Therefore, there is no problem in redacting map entries, as they are retrieved by related keys, not by their position in the collection. [JS] AFAIU, as long as there is no dependence on “prePath” (could manifest in replacement and removal methods), it should be safer to use JSONPath-based redaction from RFC 9537. As we know, [1] highlighted these and other issues. Since we previously decided to defer addressing them until there is some implementation experience, at some point, it’d be good to consider a bis for RFC 9537 to settle this. [1] https://www.ietf.org/archive/id/draft-newton-regext-rdap-considerations-on-rfc9537-00.html Since uid has been made optional by draft-ietf-calext-jscontact-uid<https://datatracker.ietf.org/doc/draft-ietf-calext-jscontact-uid/>, support for uid will be removed in the next release that I will release soon. [JS] OK. Thanks, Jasdip
_______________________________________________ regext mailing list -- [email protected] To unsubscribe send an email to [email protected]
