please review "application/rif+xml" from Sandro Hawke on 2008-09-16 (www-archive@w3.org from September 2008)

From: Sandro Hawke <sandro@w3.org>
Date: Tue, 16 Sep 2008 07:21:52 -0400
To: ietf-types@iana.org, ietf-xml-mime@imc.org
Cc: www-archive@w3.org
Message-ID: <10003.1221564112@ubuhebe>
The following media type registration is currently published as part of
a W3C Last Call Working Draft [1] and will soon be submitted to the IESG
for review, approval, and registration with IANA (as per [2]).

At this point, we would appreciate comments on this registration
information.  If you see any problems, please let us know.

(It's tempting to say a few words about RIF here, but I suppose I should
let the registration stand on its own.  It does includes links to the
specification and to the Working Group home page.)

      -- Sandro

[1] http://www.w3.org/TR/2008/WD-rif-bld-20080730/#Appendix:_RIF_Media_Type_Registration
[2] http://www.w3.org/2002/06/registering-mediatype

================================================================

   Type name: application

   Subtype name: rif+xml

   Required parameters: none

   Optional parameters: charset, as per RFC 3023 (XML Media Types)

   Encoding considerations: same as RFC 3023 (XML Media Types)

   Security considerations: 

       Systems which consume RIF documents are potentially vulnerable
       to attack by malicious producers of RIF documents.  The
       vulnerabilities and forms of attack are similar to those of
       other Web-based formats with programming or scripting
       capabilities, such as HTML with embedded Javascript.

       Excessive Resource Use / Denial of Service Attacks

          Full and complete processing of a RIF document, even one
          conforming to the RIF-BLD dialect, may require unlimited CPU
          and memory resources.  Through the use of "import", it may
          also require arbitrary URI dereferencing, which may consume
          all available network resources on the consuming system or
          other systems.  RIF consuming systems SHOULD implement
          reasonable defenses against these attacks.

       Exploiting Implementation Flaws

          RIF is a relatively complex format, and rule engines can be
          extremely sophisticated, so it is likely that some RIF
          consuming systems will have bugs which allow specially
          constructed RIF documents to perform inappropriate
          operations. We urge RIF implementors to make systems which
          carefully anticipate and handle all possible inputs,
          including those which present syntactic or semantic errors.

       External (Application) Functions

          Because RIF may be extended with local, application defined
          datatypes and functions, arbitrary vulnerabilities may be
          introduced.  Before being installed on systems which consume
          untrusted RIF documents, these external functions should be
          closely reviewed for their own vulnerabilities and for the
          vulnerabilities that may occur when they are used in
          unexpected combinations, like "cross-site scripting"
          attacks.
       
       In addition, as this media type uses the "+xml" convention, it
       shares the same security considerations as other XML formats;
       see RFC 3023 (XML Media Types).


   Interoperability considerations: 

       This media type is intended to be shared with other RIF
       dialects, to be specified in the future.  Interoperation
       between the dialects is governed by the RIF specifications.

   Published specification: 

       RIF Basic Logic Dialect
       W3C Working Draft (Recommendation Track)
       http://www.w3.org/TR/rif-bld/

       This media type is intended to be shared with other RIF
       dialects, to be specified in the future.

   Applications that use this media type: 

       Unknown at the time of this draft.  Multiple applications are
       expected, however, before the specification reaches W3C
       Proposed Recommendation status.

   Additional information:

     Magic number(s): 

           As with XML in general (See RFC 3023 (XML Media Types)),
           there is no magic number for this format.

           However, the XML namespace "http://www.w3.org/2007/rif#" will
           normally be present in the document.  It may theoretically
           be missing if the document uses XML entities in an
           obfuscatory manner.

           The hex form of that namespace will depend on the charset.
           For utf-8, the hex is: 68 74 74 70 3a 2f 2f 77 77 77 2e 77
           33 2e 6f 72.
           
     File extension(s): 

           .rif (or .xml)

     Macintosh file type code(s): 

           "TEXT" (like other XML)

   Person & email address to contact for further information:

       Sandro Hawke, sandro@w3.org.  Please send technical comments
       and questions about RIF to public-rif-comments@w3.org, a
       mailing list with a public archive at
       http://lists.w3.org/Archives/Public/public-rif-comments/ 

   Intended usage: 

       COMMON

   Restrictions on usage: 

       None

   Author:

       The editor and contact for this media type registration is
       Sandro Hawke, sandro@w3.org.

   Change controller: 

       RIF is a product of the Rule Interchange Format (RIF) Working
       Group of the World Wide Web Consortium (W3C).  See
       http://www.w3.org/2005/rules/wg for information on the group.
       The W3C (currently acting through this working group) has
       change control over the RIF specification.



   (Any other information that the author deems interesting may be added
   below this line.)
Received on Tuesday, 16 September 2008 11:24:02 UTC