draft-ietf-cbor-array-tags-05.txt		draft-ietf-cbor-array-tags-06.txt
	Network Working Group C. Bormann, Ed.		Network Working Group C. Bormann, Ed.
	Internet-Draft Universitaet Bremen TZI		Internet-Draft Universitaet Bremen TZI
	Intended status: Informational June 20, 2019		Intended status: Informational August 14, 2019
	Expires: December 22, 2019		Expires: February 15, 2020
	Concise Binary Object Representation (CBOR) Tags for Typed Arrays		Concise Binary Object Representation (CBOR) Tags for Typed Arrays
	draft-ietf-cbor-array-tags-05		draft-ietf-cbor-array-tags-06
	Abstract		Abstract
	The Concise Binary Object Representation (CBOR, RFC 7049) is a data		The Concise Binary Object Representation (CBOR, RFC 7049) is a data
	format whose design goals include the possibility of extremely small		format whose design goals include the possibility of extremely small
	code size, fairly small message size, and extensibility without the		code size, fairly small message size, and extensibility without the
	need for version negotiation.		need for version negotiation.
	The present document makes use of this extensibility to define a		The present document makes use of this extensibility to define a
	number of CBOR tags for typed arrays of numeric data, as well as two		number of CBOR tags for typed arrays of numeric data, as well as two
	skipping to change at page 1, line 39 ¶		skipping to change at page 1, line 39 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on December 22, 2019.		This Internet-Draft will expire on February 15, 2020.
	Copyright Notice		Copyright Notice
	Copyright (c) 2019 IETF Trust and the persons identified as the		Copyright (c) 2019 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 14, line 5 ¶		skipping to change at page 13, line 17 ¶
	The security considerations of RFC 7049 apply; special attention is		The security considerations of RFC 7049 apply; special attention is
	drawn to the second paragraph of Section 8 of RFC 7049.		drawn to the second paragraph of Section 8 of RFC 7049.
	The Tag for homogeneous arrays makes a promise about its tagged data		The Tag for homogeneous arrays makes a promise about its tagged data
	item that a maliciously constructed CBOR input can then choose to		item that a maliciously constructed CBOR input can then choose to
	ignore. As always, the decoder therefore has to ensure that it is		ignore. As always, the decoder therefore has to ensure that it is
	not driven into an undefined state by array elements that do not		not driven into an undefined state by array elements that do not
	fulfill the promise and that it does continue to fulfill its API		fulfill the promise and that it does continue to fulfill its API
	contract in this case as well.		contract in this case as well.
			As with all formats that are used for data interchange, an attacker
			may have control over the shape of the data delivered as input to the
			application, which therefore needs to validate that shape before it
			makes it the basis of its further processing. One unique aspect that
			typed arrays add to this is that an attacker might substitute a
			Uint8ClampedArray for where the application expects a Uint8Array, or
			vice versa, potentially leading to very different (and unexpected)
			processing semantics of the in-memory data structures constructed.
			Applications that could be affected by this therefore will need to be
			careful about making this distinction in their input validation.
	8. References		8. References
	8.1. Normative References		8.1. Normative References
	[IEEE754] IEEE, "IEEE Standard for Floating-Point Arithmetic", IEEE		[IEEE754] IEEE, "IEEE Standard for Floating-Point Arithmetic", IEEE
	Std 754-2008.		Std 754-2008.
	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate		[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119,		Requirement Levels", BCP 14, RFC 2119,
	DOI 10.17487/RFC2119, March 1997,		DOI 10.17487/RFC2119, March 1997,
End of changes. 4 change blocks.
	4 lines changed or deleted		15 lines changed or added
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/