- From: Sandro Hawke <sandro@w3.org>
- Date: Mon, 20 Jul 2009 20:11:49 -0400
- To: ietf-types@iana.org, ietf-xml-mime@imc.org
- cc: www-archive@w3.org
The following media type registration has been recently published as
part of a W3C Last Call Working Draft [1], and will soon be submitted to
the IESG for review, approval, and registration with IANA (as per [2]).
An earlier version of this registration was posted here for review about
a year ago [3]. The changes made since then reflect changes in the
organization of the RIF family of dialects; there were no changes
suggested by reviewers of that posting.
At this point, we would appreciate comments on this registration
information. If you see any problems, please let us know; I'll act as
a liason between these IETF lists and the W3C Working Group
responsible for these specifications.
-- Sandro
[1] http://www.w3.org/TR/rif-core/#Appendix:_RIF_Media_Type_Registration
[2] http://www.w3.org/2002/06/registering-mediatype
[3] http://lists.w3.org/Archives/Public/www-archive/2008Sep/0023.html
================================================================
Type name: application
Subtype name: rif+xml
Required parameters: none
Optional parameters: charset, as per RFC 3023 (XML Media Types)
Encoding considerations: same as RFC 3023 (XML Media Types)
Security considerations:
Systems which consume RIF documents are potentially vulnerable
to attack by malicious producers of RIF documents. The
vulnerabilities and forms of attack are similar to those of
other Web-based formats with programming or scripting
capabilities, such as HTML with embedded Javascript.
Excessive Resource Use / Denial of Service Attacks
Complete processing of a RIF document, even a conformant
RIF Core document, may require arbitrarily great CPU and
memory resources. Through the use of "import", processing
may also require arbitrary URI dereferencing, which may
consume all available network resources on the consuming
system or other systems. RIF consuming systems SHOULD
implement reasonable defenses against these attacks.
Exploiting Implementation Flaws
RIF is a relatively complex format, and rule engines can be
extremely sophisticated, so it is likely that some RIF
consuming systems will have bugs which allow specially
constructed RIF documents to perform inappropriate
operations. We urge RIF implementors to make systems which
carefully anticipate and handle all possible inputs,
including those which present syntactic or semantic errors.
External (Application) Functions
Because RIF may be extended with local, application defined
datatypes and functions, new vulnerabilities may be
introduced. Before being installed on systems which consume
untrusted RIF documents, these external functions should be
closely reviewed for their own vulnerabilities and for the
vulnerabilities that may occur when they are used in
unexpected combinations, like "cross-site scripting"
attacks.
In addition, as this media type uses the "+xml" convention, it
shares the same security considerations as other XML formats;
see RFC 3023 (XML Media Types).
Interoperability considerations:
This media type is intended to be shared with other RIF
dialects, to be specified in the future. Interoperation
between the dialects is governed by the RIF specifications.
Published specifications:
RIF Core Dialect
W3C Working Draft (Recommendation Track)
http://www.w3.org/TR/rif-core/
RIF Datatypes and Builtins
W3C Working Draft (Recommendation Track)
http://www.w3.org/TR/rif-dtb/
RIF Basic Logic Dialect
W3C Working Draft (Recommendation Track)
http://www.w3.org/TR/rif-bld/
RIF Production Rule Dialect
W3C Working Draft (Recommendation Track)
http://www.w3.org/TR/rif-prd/
RIF Framework for Logic Dialects
W3C Working Draft (Recommendation Track)
http://www.w3.org/TR/rif-fld/
This media type is intended for use by all RIF dialects,
including those to be specified in the future. Identification
of the RIF dialect in use by a document is done by examining
the use of specific XML elements within the document.
Applications that use this media type:
Unknown at the time of these drafts. Multiple applications are
expected, however, before the specification reaches W3C
Proposed Recommendation status.
Additional information:
Magic number(s):
As with XML in general (See RFC 3023 (XML Media Types)),
there is no magic number for this format.
However, the XML namespace "http://www.w3.org/2007/rif#" will
normally be present in the document. It may theoretically
be missing if the document uses XML entities in an
obfuscatory manner.
The hex form of that namespace will depend on the charset.
For utf-8, the hex is: 68 74 74 70 3a 2f 2f 77 77 77 2e 77
33 2e 6f 72.
File extension(s):
.rif (or .xml)
Macintosh file type code(s):
"TEXT" (like other XML)
Person & email address to contact for further information:
Sandro Hawke, sandro@w3.org. Please send technical comments
and questions about RIF to public-rif-comments@w3.org, a
mailing list with a public archive at
http://lists.w3.org/Archives/Public/public-rif-comments/
Intended usage:
COMMON
Restrictions on usage:
None
Author:
The editor and contact for this media type registration is
Sandro Hawke, sandro@w3.org.
Change controller:
RIF is a product of the Rule Interchange Format (RIF) Working
Group of the World Wide Web Consortium (W3C). See
http://www.w3.org/2005/rules/wg for information on the group.
The W3C (currently acting through this working group) has
change control over the RIF specification.
Received on Tuesday, 21 July 2009 00:12:00 UTC