CBOR WG Meeting - Interim 13 Wednesday, August 14, 2019, 15:00 - 16:00 UTC Chairs: Francesca Palombini, Jim Schaad Present: Carsten Bormann Francesca Palombini Jim Schaad Laurence Lundblade Sean Leonard Ira McDonald Jeffrey Yasskin Michael Richardson (joined last 15 min) Recordings: https://www.youtube.com/watch?v=8tbix7GiB1U * Charter status update (chairs) In external review On telechat for 8-22 * CBOR Array Tag status (Francesca) Shepherd review finished - waiting for update from Carsten https://tools.ietf.org/html/draft-ietf-cbor-array-tags-06#section-7 As with all formats that are used for data interchange, an attacker may have control over the shape of the data delivered as input to the application, which therefore needs to validate that shape before it makes it the basis of its further processing. One unique aspect that typed arrays add to this is that an attacker might substitute a Uint8ClampedArray for where the application expects a Uint8Array, or vice versa, potentially leading to very different (and unexpected) processing semantics of the in-memory data structures constructed. Applications that could be affected by this therefore will need to be careful about making this distinction in their input validation. If any comment, please bring to the mailing list, otherwise will go ahead. * CBOR Sequence status (chairs) - WG adoption call ended 12/08 AP Chairs: WGLC * CBOR specification: https://tools.ietf.org/html/draft-ietf-cbor-7049bis CBORBis (Carsten, Paul) - Status update since IETF105 - Issue discussion CB: Need to spend research time on IEEE754:2019 as it just got updated and has new NaNs CB: ask for review for PR 104. CB: How often should we be publishing a new draft? General sense - every two to four weeks makes sense Next interims: Aug 28, Sept 25 No Carsten on Sept 11. CB: Have next round of updates published by Aug 26 * AOB CB: Tag squatting issue found when registering for tag 42 w/ yang-cbor JS: Can we mke them do an early allocation requst to make sure it is registered? SL: Sounds good to move CB: Is there anything we can do to detect this in the future? SL: Recap of thread dealing with the changes suggested for document level when doing registration of tags. AP SL: Write up a pull request for final discussion - CB: What do we do about the OID thing? SL: Need to work on that draft. Plan to split the draft. One for OIDs and the second for the rest Hope to get something we can get discussed by Singapore at the latest. LL: Unassigned vs reserved: Simple values 24-32 are reserved 28-30 are unassgined CB: That is a bug - Need to get an issue as not seen. LL: List of non-well formed CBOR - Is this added to the RFC or someplace else? Proposed to add as an appendix. Willing to do the pull request. CB: Two reservations - control over the size of the document - too long is not really good. Potentially very incomplete - a more complete thing in a repository w/ good coverage may be better. Making a decision on non-well formed is not in contention, just the question of how much cover is needed. LL: Believes that the list is fairly complete - Expect to be in the neighborhood of two pages. FP: Would not mind seeing in document even with note on needing extension. IM: THinks it is reasonable to put into document LL: will finish up as a pull request. CB: Useful to distinguish between too short and impossible FP: make a PR and will discuss more (ml/interim) FP: interim on Sept 11 will probably be cancelled.