[Cryptography] Langsec & authentication

[Judson Lester]

I've been fascinated to discover and read about the langsec movement
in the wake of heartbleed. The fundamental ideas seem sound, but
there's at least one question I'm have but haven't seen addressed
anywhere.

As I understand it, the langsec position is that specifying your
protocol language to be as easy to parse as possible, in Chomsky
hierarchy terms, has direct security implications - if the uppermost
surface of your networked application doesn't have to include a Turing
machine, that severely limits an avenue of attack on that application.

What confuses me is trying to align this with a principle of
cryptography that you should only authenticate what you mean, as
opposed to authenticating a particular series of bytes, especially in
the face of langsec sites that recommend the use of JSON after having
argued convincingly against ASN.1 DER.

Here's what I mean: moving on immediately from JSON, it seems to me
that any language that includes key-value pairs, to be safe to
authenticate, has to guarantee that the keys in any mapping form a
set. Otherwise I can produce two documents that *mean* the same thing
even though they have different bytes - because in foo=bar,foo=baz,
our interpretation has to choose a meaning - does foo == bar, baz or
maybe [bar,baz]?

But I think that requiring that the keys belong to a set pushes the
language into context sensitivity i.e. as bad as ASN.1 DER.

Conversely, I can't think of a system I use regularly that doesn't
define a language that doesn't either use set-of-keys, should use
set-of-keys or repeat-implies-array, all of which imply
context-sensitivity, I think. On the other hand, removing key/value
from a protocol would make it comparatively easy to reduce to a
regular language.

Am I onto something here? Well addressed elsewhere?

Judson