IETF Logo Mail Archive

please review "text/rif+xml" media type registration

Sandro Hawke <sandro@w3.org> Tue, 21 July 2009 00:12 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6L0C4h4078112 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 20 Jul 2009 17:12:04 -0700 (MST) (envelope-from owner-ietf-xml-mime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n6L0C4dO078111; Mon, 20 Jul 2009 17:12:04 -0700 (MST) (envelope-from owner-ietf-xml-mime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-xml-mime@mail.imc.org using -f
Received: from homer.w3.org (ssh.w3.org [128.30.52.60]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n6L0BrFC078075 for <ietf-xml-mime@imc.org>; Mon, 20 Jul 2009 17:12:03 -0700 (MST) (envelope-from sandro@w3.org)
Received: from waldron.w3.org (homer.w3.org [128.30.52.30]) by homer.w3.org (Postfix) with ESMTP id 508014EEC1; Mon, 20 Jul 2009 20:11:52 -0400 (EDT)
Received: from waldron (waldron [127.0.0.1]) by waldron.w3.org (Postfix) with ESMTP id BF7DB17166E; Mon, 20 Jul 2009 20:11:49 -0400 (EDT)
To: ietf-types@iana.org, ietf-xml-mime@imc.org
cc: www-archive@w3.org
From: Sandro Hawke <sandro@w3.org>
Subject: please review "text/rif+xml" media type registration
X-Mailer: MH-E 8.1; nmh 1.2; GNU Emacs 22.2.1
Date: Mon, 20 Jul 2009 20:11:49 -0400
Message-ID: <27324.1248135109@waldron>
Sender: owner-ietf-xml-mime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-xml-mime/mail-archive/>
List-ID: <ietf-xml-mime.imc.org>
List-Unsubscribe: <mailto:ietf-xml-mime-request@imc.org?body=unsubscribe>

The following media type registration has been recently published as
part of a W3C Last Call Working Draft [1], and will soon be submitted to
the IESG for review, approval, and registration with IANA (as per [2]).
An earlier version of this registration was posted here for review about
a year ago [3].  The changes made since then reflect changes in the
organization of the RIF family of dialects; there were no changes
suggested by reviewers of that posting.

At this point, we would appreciate comments on this registration
information.  If you see any problems, please let us know; I'll act as
a liason between these IETF lists and the W3C Working Group
responsible for these specifications.

      -- Sandro

[1] http://www.w3.org/TR/rif-core/#Appendix:_RIF_Media_Type_Registration
[2] http://www.w3.org/2002/06/registering-mediatype
[3] http://lists.w3.org/Archives/Public/www-archive/2008Sep/0023.html

================================================================

   Type name: application

   Subtype name: rif+xml

   Required parameters: none

   Optional parameters: charset, as per RFC 3023 (XML Media Types)

   Encoding considerations: same as RFC 3023 (XML Media Types)

   Security considerations: 

       Systems which consume RIF documents are potentially vulnerable
       to attack by malicious producers of RIF documents.  The
       vulnerabilities and forms of attack are similar to those of
       other Web-based formats with programming or scripting
       capabilities, such as HTML with embedded Javascript.

       Excessive Resource Use / Denial of Service Attacks

          Complete processing of a RIF document, even a conformant
          RIF Core document, may require arbitrarily great CPU and
          memory resources.  Through the use of "import", processing
          may also require arbitrary URI dereferencing, which may
          consume all available network resources on the consuming
          system or other systems.  RIF consuming systems SHOULD
          implement reasonable defenses against these attacks.

       Exploiting Implementation Flaws

          RIF is a relatively complex format, and rule engines can be
          extremely sophisticated, so it is likely that some RIF
          consuming systems will have bugs which allow specially
          constructed RIF documents to perform inappropriate
          operations. We urge RIF implementors to make systems which
          carefully anticipate and handle all possible inputs,
          including those which present syntactic or semantic errors.

       External (Application) Functions

          Because RIF may be extended with local, application defined
          datatypes and functions, new vulnerabilities may be
          introduced.  Before being installed on systems which consume
          untrusted RIF documents, these external functions should be
          closely reviewed for their own vulnerabilities and for the
          vulnerabilities that may occur when they are used in
          unexpected combinations, like "cross-site scripting"
          attacks.
       
       In addition, as this media type uses the "+xml" convention, it
       shares the same security considerations as other XML formats;
       see RFC 3023 (XML Media Types).


   Interoperability considerations: 

       This media type is intended to be shared with other RIF
       dialects, to be specified in the future.  Interoperation
       between the dialects is governed by the RIF specifications.

   Published specifications: 

       RIF Core Dialect
       W3C Working Draft (Recommendation Track)
       http://www.w3.org/TR/rif-core/

       RIF Datatypes and Builtins
       W3C Working Draft (Recommendation Track)
       http://www.w3.org/TR/rif-dtb/

       RIF Basic Logic Dialect
       W3C Working Draft (Recommendation Track)
       http://www.w3.org/TR/rif-bld/

       RIF Production Rule Dialect
       W3C Working Draft (Recommendation Track)
       http://www.w3.org/TR/rif-prd/

       RIF Framework for Logic Dialects
       W3C Working Draft (Recommendation Track)
       http://www.w3.org/TR/rif-fld/

       This media type is intended for use by all RIF dialects,
       including those to be specified in the future.  Identification
       of the RIF dialect in use by a document is done by examining
       the use of specific XML elements within the document.

   Applications that use this media type: 

       Unknown at the time of these drafts.  Multiple applications are
       expected, however, before the specification reaches W3C
       Proposed Recommendation status.

   Additional information:

     Magic number(s): 

           As with XML in general (See RFC 3023 (XML Media Types)),
           there is no magic number for this format.

           However, the XML namespace "http://www.w3.org/2007/rif#" will
           normally be present in the document.  It may theoretically
           be missing if the document uses XML entities in an
           obfuscatory manner.

           The hex form of that namespace will depend on the charset.
           For utf-8, the hex is: 68 74 74 70 3a 2f 2f 77 77 77 2e 77
           33 2e 6f 72.
           
     File extension(s): 

           .rif (or .xml)

     Macintosh file type code(s): 

           "TEXT" (like other XML)

   Person & email address to contact for further information:

       Sandro Hawke, sandro@w3.org.  Please send technical comments
       and questions about RIF to public-rif-comments@w3.org, a
       mailing list with a public archive at
       http://lists.w3.org/Archives/Public/public-rif-comments/ 

   Intended usage: 

       COMMON

   Restrictions on usage: 

       None

   Author:

       The editor and contact for this media type registration is
       Sandro Hawke, sandro@w3.org.

   Change controller: 

       RIF is a product of the Rule Interchange Format (RIF) Working
       Group of the World Wide Web Consortium (W3C).  See
       http://www.w3.org/2005/rules/wg for information on the group.
       The W3C (currently acting through this working group) has
       change control over the RIF specification.

v2.23.0 | Report a Bug | By Email