--- 1/draft-ietf-cbor-array-tags-05.txt	2019-08-14 07:13:33.373283692 -0700
+++ 2/draft-ietf-cbor-array-tags-06.txt	2019-08-14 07:13:33.401284394 -0700
@@ -1,18 +1,18 @@
 
 Network Working Group                                    C. Bormann, Ed.
 Internet-Draft                                   Universitaet Bremen TZI
-Intended status: Informational                             June 20, 2019
-Expires: December 22, 2019
+Intended status: Informational                           August 14, 2019
+Expires: February 15, 2020
 
    Concise Binary Object Representation (CBOR) Tags for Typed Arrays
-                     draft-ietf-cbor-array-tags-05
+                     draft-ietf-cbor-array-tags-06
 
 Abstract
 
    The Concise Binary Object Representation (CBOR, RFC 7049) is a data
    format whose design goals include the possibility of extremely small
    code size, fairly small message size, and extensibility without the
    need for version negotiation.
 
    The present document makes use of this extensibility to define a
    number of CBOR tags for typed arrays of numeric data, as well as two
@@ -28,21 +28,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at https://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on December 22, 2019.
+   This Internet-Draft will expire on February 15, 2020.
 
 Copyright Notice
 
    Copyright (c) 2019 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (https://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
@@ -497,20 +497,31 @@
    The security considerations of RFC 7049 apply; special attention is
    drawn to the second paragraph of Section 8 of RFC 7049.
 
    The Tag for homogeneous arrays makes a promise about its tagged data
    item that a maliciously constructed CBOR input can then choose to
    ignore.  As always, the decoder therefore has to ensure that it is
    not driven into an undefined state by array elements that do not
    fulfill the promise and that it does continue to fulfill its API
    contract in this case as well.
 
+   As with all formats that are used for data interchange, an attacker
+   may have control over the shape of the data delivered as input to the
+   application, which therefore needs to validate that shape before it
+   makes it the basis of its further processing.  One unique aspect that
+   typed arrays add to this is that an attacker might substitute a
+   Uint8ClampedArray for where the application expects a Uint8Array, or
+   vice versa, potentially leading to very different (and unexpected)
+   processing semantics of the in-memory data structures constructed.
+   Applications that could be affected by this therefore will need to be
+   careful about making this distinction in their input validation.
+
 8.  References
 
 8.1.  Normative References
 
    [IEEE754]  IEEE, "IEEE Standard for Floating-Point Arithmetic", IEEE
               Std 754-2008.
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119,
               DOI 10.17487/RFC2119, March 1997,