Hi Brian and Orie,
In the "old days", such problem did not existed. The prime example is
using ASN.1 / DER where the decoder can first know the full size of the
message
using two or more bytes after the first byte that must contain the value
30 (SEQUENCE). Then after, the server was knowing which ASN.1 sequence
to receive
and the decoder was able to check whether the whole sequence was or was
not conformant to an ASN.1 description identified using an OID.
So the whole sequence could be decoded safely without the need to check
or not that the sequence was correctly signed.
While it is well known that a JSON object only need a parser to be
decoded and not also a schema, using a schema with a parser might be a
solution to consider,
but I fear this is opening a can of worms.
Outside of the IETF, the use of schemas for JSON has been considered.
There may be good reasons why the IETF has not considered such a
possibility,
but I don't know these reasons.
Denis
On Fri, Oct 13, 2023 at 3:53 PM Orie Steele
<orie@transmute.industries> wrote:
Inline (and sorry for repeating points / rambling) :
No need to apologize.
It is, however, difficult (for me anyway) to engage with all this in a
way that feels productive. Honestly, I've read through the whole
thread many many times trying to figure out how/where to chime in,
argue/nitpick, agree/disagree, etc. and find myself lost or
overwhelmed by the prospect. So I'm going to try and bring it back up
a bit.
I don't think we actually disagree on much in principle here. Rather
about what can or should be said or done about it at the level of the
SD-JWT document. The overwhelming majority of this thread has been
about JWS/JWT more generally and not specific to SD-JWT. Even at the
SD-JWT doc level - I don't disagree that having some considerations
that state the general security principle, so that implementers can be
aware of it, would be okay/useful. I just believe that what's said
should be relevant, useful, realistic, etc. in the context and not
distracting, alarmist, or impractical.
/CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly
prohibited. If you have received this communication in error, please
notify the sender immediately by e-mail and delete the message and any
file attachments from your computer. Thank you./
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth