Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security consideration around Multiformat choice. #107

Merged
merged 2 commits into from
Oct 19, 2024
Merged

Add security consideration around Multiformat choice. #107

merged 2 commits into from
Oct 19, 2024

Conversation

msporny
Copy link
Member

@msporny msporny commented Oct 13, 2024
edited by pr-preview bot
Loading

This PR is an attempt to partially address issue #94 by adding a security consideration around Multiformat choice.

/cc @jyasskin and @hadleybeeman

Preview | Diff

@msporny msporny mentioned this pull request Oct 13, 2024
Closed
iherman
iherman reviewed Oct 14, 2024
View reviewed changes
index.html Outdated
Comment on lines 2894 to 2896
Some mistakenly presume that Multiformats promote an explosion of encoding
formats, which harm interoperability due to forcing implementers to have to
implement many different formats. To the contrary, Multiformats exist because
Copy link
Member

@iherman iherman Oct 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Some mistakenly presume that Multiformats promote an explosion of encoding
formats, which harm interoperability due to forcing implementers to have to
implement many different formats. To the contrary, Multiformats exist because
Multiformats exist because

I do not think it is worth and necessary to get into this kind of polemics here. I would prefer to just describe why we have this formats here and leave the discussions aside. The change above may be the simplest change; you may choose to reformulate the paragraph as a whole...

index.html Outdated
Comment on lines 2900 to 2902
developers make different choices based upon different requirements. Imposing a
single base-encoding, cryptographic hashing, or cryptographic key format on the
world has never worked. Instead, Multiformats provide a mechanism to detect any
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
developers make different choices based upon different requirements. Imposing a
single base-encoding, cryptographic hashing, or cryptographic key format on the
world has never worked. Instead, Multiformats provide a mechanism to detect any
developers make different choices based upon different requirements, and no single standards
could emerge for base-encoding, cryptographic hashing, or for cryptographic key formats. Multiformats provide a mechanism to detect any

(Additional change related to my previous comment.)

TallTed
TallTed requested changes Oct 15, 2024
View reviewed changes
index.html Outdated Show resolved Hide resolved
index.html Outdated Show resolved Hide resolved
@iherman
Copy link
Member

iherman commented Oct 16, 2024

The issue was discussed in a meeting on 2024-10-16

  • no resolutions were taken
View the transcript

4.3. Add security consideration around Multiformat choice. (pr controller-document#107)

See github pull request controller-document#107.

Manu Sporny: TAG also asked for Security Considerations for multi format choice.
… cannot tell difference between base64 and base32 encodings but with multi-encoding you can.
… but we have not done this is the relatedResource property.

David Chadwick: the way I read this, in order to determine whether its b64, you have to read the spec. in multi-encoding you don't have the issue (have a prefix that tells you what it is); however, you have to go to the spec to understand this too.

Manu Sporny: multibase encoding has a multibase type so can take the text and you know that the first character will tell you the encoding format.

Dave Longley: +1 you define the multibase type once, and you can then reuse it across software and specs and if you need to switch anything, the impact can be reduced.

@msporny
Copy link
Member Author

msporny commented Oct 19, 2024

Editorial, multiple reviews, changes requested and made, no objections, merging.

@msporny msporny merged commit 451f383 into main Oct 19, 2024
1 check passed
@msporny msporny deleted the msporny-multiwarn branch October 19, 2024 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iherman iherman iherman left review comments

@TallTed TallTed TallTed requested changes

@dlongley dlongley dlongley approved these changes

@BigBlueHat BigBlueHat Awaiting requested review from BigBlueHat

@davidlehn davidlehn Awaiting requested review from davidlehn

@jandrieu jandrieu Awaiting requested review from jandrieu

@longpd longpd Awaiting requested review from longpd

@dmitrizagidulin dmitrizagidulin Awaiting requested review from dmitrizagidulin

@decentralgabe decentralgabe Awaiting requested review from decentralgabe

@selfissued selfissued Awaiting requested review from selfissued selfissued is a code owner

@KDean-Dolphin KDean-Dolphin Awaiting requested review from KDean-Dolphin

@brentzundel brentzundel Awaiting requested review from brentzundel

@PatStLouis PatStLouis Awaiting requested review from PatStLouis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@msporny @iherman @dlongley @TallTed