Heikki Vatiainen <[email protected]> wrote: > I haven't worked with CBOR, but I'd be interested to know if, for > example, how careful we need to be with serialiser/deserialiser to > avoid problems similar to exponential expansions attacks [1], etc. TLVs
There are no entities like in XML, so that won't work. CBOR now includes a "packed" format which is essentially a bespoke compression system for CBOR, with the decompressor defined. Encoders (compressors) can be as complicated as one likes. The billion_laughts attack might be possible with packed CBOR, but as a CBOR Protocol user, you would be justified if you just said, "no packed CBOR" -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
