Re: [websec] Issue 17: Registry for magic numbers
Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 26 October 2011 03:52 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBEE021F8C00 for <websec@ietfa.amsl.com>; Tue, 25 Oct 2011 20:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.666
X-Spam-Level:
X-Spam-Status: No, score=-96.666 tagged_above=-999 required=5 tests=[AWL=0.112, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBIiBto2t7Pd for <websec@ietfa.amsl.com>; Tue, 25 Oct 2011 20:52:30 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 7A43721F8BD5 for <websec@ietf.org>; Tue, 25 Oct 2011 20:52:26 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=SFsfMsb8AxTnCI6U7wYjCQo38RLEwfdmmu4GdCF451APwkn3mjiJ3lfzvEydVvFw8r+9KiB8DnSs26S9LoeFdgQ2jHsukdPLNUWDHCLQm+TKbpf/WCAhTrkiRS9pFF55; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 21613 invoked from network); 26 Oct 2011 05:52:23 +0200
Received: from unknown (HELO ?10.5.5.61?) (61.8.220.69) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 26 Oct 2011 05:52:23 +0200
Message-ID: <4EA783F7.90609@gondrom.org>
Date: Wed, 26 Oct 2011 04:52:23 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: websec@ietf.org
References: <CAJE5ia8n+B10TbjpVYbVieTWEHo3AY_pRm1EToNX_iB1+3UTCw@mail.gmail.com> <4EA6360C.7070700@it.aoyama.ac.jp> <CAJE5ia8rnkeET5GQhoj7CWbOLha=hp-Ucq6Psw8M1LGvPTMC-w@mail.gmail.com>
In-Reply-To: <CAJE5ia8rnkeET5GQhoj7CWbOLha=hp-Ucq6Psw8M1LGvPTMC-w@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [websec] Issue 17: Registry for magic numbers
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2011 03:52:31 -0000
<hat="individual"> For me the point is, currently we have a table in the document, which inside an RFC is rather static and hard to extend. So it looks like a good case for a registry to allow for extendibility for new mime-types. (e.g. we keep the table in the document, create an IANA registry, copy the values to the registry and allow for future entries by expert review) That can either be added to the current Mime-type registry, or we create a new one (e.g. within the websec namespace) with only these elements. Just my 5cents. Tobias On 25/10/11 05:23, Adam Barth wrote: > On Mon, Oct 24, 2011 at 9:07 PM, "Martin J. Dürst" > <duerst@it.aoyama.ac.jp> wrote: >> On 2011/10/25 11:21, Adam Barth wrote: >>> http://trac.tools.ietf.org/wg/websec/trac/ticket/17 refers to an IANA >>> registry with magic numbers for various media types. I wanted to >>> compare them to what's in the draft, but I couldn't find it. I found >>> the media type registry, e.g., for images: >>> >>> http://www.iana.org/assignments/media-types/image/index.html >>> >>> but I don't see any magic numbers. Would someone be willing to point >>> me in the right direction? >> They are in the templates. To get the template for a registration, start at >> the overview page (http://www.iana.org/assignments/media-types/index.html). >> >> Then go to the page that lists all the registration for a give top level, >> e.g. http://www.iana.org/assignments/media-types/image/index.html for >> images. >> >> Then look at each registration template (click on the link in the left >> column, or in the right column if the left one doesn't have a link and the >> right one is to an RFC). You may then find a magic number in the >> registration template. As an example, for image/jp2, the template is at >> http://www.iana.org/assignments/media-types/image/jp2. >> >> But it looks like earlier templates didn't have a field for a magic number, >> and this and the reasons Anne gave make this information helpful for >> cross-checking, but not much more. > == Images == > > PNG has a registration template > <http://www.iana.org/assignments/media-types/image/png>, but lacks a > signature. > JPEG doesn't have a template. > GIF doesn't have a template. > BMP isn't even registered. > WEBP isn't even registered. > ICO has a registration template > <http://www.iana.org/assignments/media-types/image/vnd.microsoft.icon> > and has the correct signature. Yay! > > == Text == > > HTML lacks a registration template. > > == Application == > > PDF doesn't have a template. > Postscript doesn't have a template. > OGG doesn't have a template. > RAR isn't even registered. > ZIP has a registration template > <http://www.iana.org/assignments/media-types/application/zip>, but > lacks a signature. > GZIP isn't even registered. > RSS isn't even registered. > Atom lacks a registration template. > > == Audio == > > WAV isn't even registered. > > == Video == > > MP4 lacks a registration template. > WebM isn't even registered. > > This does not look like a promising approach. Note: I haven't even > looked through all the registrations to see how many have signatures > that we shouldn't be using. > > Adam > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] Issue 17: Registry for magic numbers Adam Barth
- Re: [websec] Issue 17: Registry for magic numbers Anne van Kesteren
- Re: [websec] Issue 17: Registry for magic numbers Adam Barth
- Re: [websec] Issue 17: Registry for magic numbers Martin J. Dürst
- Re: [websec] Issue 17: Registry for magic numbers Tobias Gondrom
- Re: [websec] Issue 17: Registry for magic numbers Adam Barth
- Re: [websec] Issue 17: Registry for magic numbers Tobias Gondrom
- Re: [websec] Issue 17: Registry for magic numbers Adam Barth
- Re: [websec] Issue 17: Registry for magic numbers Larry Masinter
- Re: [websec] Issue 17: Registry for magic numbers Adam Barth
- Re: [websec] Issue 17: Registry for magic numbers Larry Masinter
- Re: [websec] Issue 17: Registry for magic numbers Adam Barth