Re: [ietf-types] Request for registration of application/gzip and application/zlib

Ned Freed <ned.freed@mrochek.com> Thu, 23 February 2012 22:39 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: ietf-types@ietfa.amsl.com
Delivered-To: ietf-types@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16C0021F85E5 for <ietf-types@ietfa.amsl.com>; Thu, 23 Feb 2012 14:39:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.585
X-Spam-Level:
X-Spam-Status: No, score=-2.585 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pz3EywSex6yF for <ietf-types@ietfa.amsl.com>; Thu, 23 Feb 2012 14:39:37 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by ietfa.amsl.com (Postfix) with ESMTP id B9A2E21F85E3 for <ietf-types@ietf.org>; Thu, 23 Feb 2012 14:39:34 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01OCC0CK271S00OTRZ@mauve.mrochek.com> for ietf-types@ietf.org; Thu, 23 Feb 2012 14:39:31 -0800 (PST)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01OCBX82X8F400ZUIL@mauve.mrochek.com>; Thu, 23 Feb 2012 14:39:28 -0800 (PST)
Message-id: <01OCC0CIB73O00ZUIL@mauve.mrochek.com>
Date: Thu, 23 Feb 2012 14:33:12 -0800
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Wed, 22 Feb 2012 23:55:24 +0100" <ctrak7l80s1o4313m2h77b5rojji28j055@hive.bjoern.hoehrmann.de>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset="ISO-8859-1"
References: <alpine.BSF.2.00.1202211047280.29127@joyce.lan> <7bv7k75ur1utsvkk8jvdlp47tt8nuab9e6@hive.bjoern.hoehrmann.de> <01OC9QB5028200ZUIL@mauve.mrochek.com> <ctrak7l80s1o4313m2h77b5rojji28j055@hive.bjoern.hoehrmann.de>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mrochek.com; s=mauve; t=1330036776; bh=7S8EwqVzJSedqP6dzmE6baHz2GnR5XPImYYWoYO6wFA=; h=Cc:Message-id:Date:From:Subject:In-reply-to:MIME-version: Content-type:References:To; b=SKo0Rb/cFhv6y6sWDhmJcackUuqsSJzUm9tpm7DTqEr6hkMZeDaGui4ZQ0i+/jizu mdK2BOr6pGymdDfQS+YM19ToEN8mSKh2yA49+YJwFDJuozCaAIpJPCG8nhEx1Ap4Q7 hRQir2FD/YzelSZyP0cJ8oq24+6OzX/oXN25e/bk=
Cc: John R Levine <johnl@taugh.com>, ietf-types@ietf.org
Subject: Re: [ietf-types] Request for registration of application/gzip and application/zlib
X-BeenThere: ietf-types@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Media \(MIME\) type review" <ietf-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-types>, <mailto:ietf-types-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-types>
List-Post: <mailto:ietf-types@ietf.org>
List-Help: <mailto:ietf-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-types>, <mailto:ietf-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2012 22:39:39 -0000

> * Ned Freed wrote:
> >> * John R Levine wrote:
> >> >    Encoding considerations: needs base64 or other encoding that allows
> >> >    arbitrary binary data
> >
> >> The value should be "8bit" (for both types).
> >
> >???? These are binary formats, plain and simple. There's no encoding included
> >in them that would result in line-oriented output.
> >
> >I don't mind changing the wording to simply say "binary" if that is clearer,
> >but "8bit" is flat-out incorrect.

> My apologies, I meant "binary". The nomenclature does confuse me, and I
> looked the definitions up again when making the comment, but apparently
> it came out wrong. The point is that RFC 4288 says "one of these key-
> words", not free-form text.

The keyword absolutely needs to be included, but free form text is often
helpful in explaining various nuances, and I see nothing in RFC 4288 that
actually prohibits it.

> >> >    Additional information:
> >> >
> >> >       Magic number(s): first byte is usually 0x78 but can also be 0x08,
> >> >       0x18, 0x28, 0x38, 0x48, 0x58, or 0x68.
> >
> >> This is confusing.
> >
> >Then suggest text. Not sure how else you can say this.

> I have not checked whether the above is all that can be said, but if it
> is, something like "The first byte is one of ... where 0x78 is the most
> common".

That also works for me, but frankly I don't think it is any clearer.

> >> >       File extension(s): none
> >> >       Macintosh file type code(s): none
> >> >
> >> >    Person and email address to contact for further information: see
> >> >    http://www.zlib.net/
> >
> >> The form in RFC 4288 wants you to use "&" in place of "and".
> >
> >No, really, it doesn't. Nothing says the form has to be followed to this
> >degree.

> Well, I look at it from a automated data extraction perspective, and
> little details like this make it harder to develop such tools. There
> being no good reason to use "&" sometimes and "and" other times, I'd
> prefer consistency, but I do agree that this is not a blocker.

Um, I doubt very, very much there's any automation involved...

> >> >4.  Security Considerations
> >> >
> >> >    Zlib and gzip compression can be used to compress arbitrary binary
> >> >    data such as hostile executable code.  Also, data that purports to be
> >> >    in zlib or gzip format may not be, and fields that are supposed to be
> >> >    flags, lengths, or pointers, could contain anything.  Applications
> >> >    should treat any data with due scepticism.
> >
> >> I would prefer simply referencing the two format RFCs, the types as such
> >> do not introduce additional security considerations.
> >
> >This may need to be reworded to make it clearer, but AFAIK the point that these
> >formats decode automatically in some contexts and are therefore sometimes used
> >to get hostile code past overly simplistic scans is not mentioned in those
> >documents and *is* a known security concern. As such, it needs to be mentioned.

> That is something the format RFCs should discuss, it's not a media type
> issue. With HTTP for instance you do not have automatic decompression
> based on the media type, but rather in a separate mechanism.

As John already pointed out, the RFCs say what they say and that isn't going
to change. Expecting someone to republish an RFC for no other reason than
to change a security considerion of this sort is simply not realistic.

As such, the requirement that security considerations for standards tree
registration trumps any "but there is a better location" argument that can be
made, because said better location doesn't actually exist and isn't going to
exist.

				Ned