- From: Sandro Hawke <sandro@w3.org>
- Date: Mon, 20 Jul 2009 20:11:49 -0400
- To: ietf-types@iana.org, ietf-xml-mime@imc.org
- cc: www-archive@w3.org
The following media type registration has been recently published as part of a W3C Last Call Working Draft [1], and will soon be submitted to the IESG for review, approval, and registration with IANA (as per [2]). An earlier version of this registration was posted here for review about a year ago [3]. The changes made since then reflect changes in the organization of the RIF family of dialects; there were no changes suggested by reviewers of that posting. At this point, we would appreciate comments on this registration information. If you see any problems, please let us know; I'll act as a liason between these IETF lists and the W3C Working Group responsible for these specifications. -- Sandro [1] http://www.w3.org/TR/rif-core/#Appendix:_RIF_Media_Type_Registration [2] http://www.w3.org/2002/06/registering-mediatype [3] http://lists.w3.org/Archives/Public/www-archive/2008Sep/0023.html ================================================================ Type name: application Subtype name: rif+xml Required parameters: none Optional parameters: charset, as per RFC 3023 (XML Media Types) Encoding considerations: same as RFC 3023 (XML Media Types) Security considerations: Systems which consume RIF documents are potentially vulnerable to attack by malicious producers of RIF documents. The vulnerabilities and forms of attack are similar to those of other Web-based formats with programming or scripting capabilities, such as HTML with embedded Javascript. Excessive Resource Use / Denial of Service Attacks Complete processing of a RIF document, even a conformant RIF Core document, may require arbitrarily great CPU and memory resources. Through the use of "import", processing may also require arbitrary URI dereferencing, which may consume all available network resources on the consuming system or other systems. RIF consuming systems SHOULD implement reasonable defenses against these attacks. Exploiting Implementation Flaws RIF is a relatively complex format, and rule engines can be extremely sophisticated, so it is likely that some RIF consuming systems will have bugs which allow specially constructed RIF documents to perform inappropriate operations. We urge RIF implementors to make systems which carefully anticipate and handle all possible inputs, including those which present syntactic or semantic errors. External (Application) Functions Because RIF may be extended with local, application defined datatypes and functions, new vulnerabilities may be introduced. Before being installed on systems which consume untrusted RIF documents, these external functions should be closely reviewed for their own vulnerabilities and for the vulnerabilities that may occur when they are used in unexpected combinations, like "cross-site scripting" attacks. In addition, as this media type uses the "+xml" convention, it shares the same security considerations as other XML formats; see RFC 3023 (XML Media Types). Interoperability considerations: This media type is intended to be shared with other RIF dialects, to be specified in the future. Interoperation between the dialects is governed by the RIF specifications. Published specifications: RIF Core Dialect W3C Working Draft (Recommendation Track) http://www.w3.org/TR/rif-core/ RIF Datatypes and Builtins W3C Working Draft (Recommendation Track) http://www.w3.org/TR/rif-dtb/ RIF Basic Logic Dialect W3C Working Draft (Recommendation Track) http://www.w3.org/TR/rif-bld/ RIF Production Rule Dialect W3C Working Draft (Recommendation Track) http://www.w3.org/TR/rif-prd/ RIF Framework for Logic Dialects W3C Working Draft (Recommendation Track) http://www.w3.org/TR/rif-fld/ This media type is intended for use by all RIF dialects, including those to be specified in the future. Identification of the RIF dialect in use by a document is done by examining the use of specific XML elements within the document. Applications that use this media type: Unknown at the time of these drafts. Multiple applications are expected, however, before the specification reaches W3C Proposed Recommendation status. Additional information: Magic number(s): As with XML in general (See RFC 3023 (XML Media Types)), there is no magic number for this format. However, the XML namespace "http://www.w3.org/2007/rif#" will normally be present in the document. It may theoretically be missing if the document uses XML entities in an obfuscatory manner. The hex form of that namespace will depend on the charset. For utf-8, the hex is: 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72. File extension(s): .rif (or .xml) Macintosh file type code(s): "TEXT" (like other XML) Person & email address to contact for further information: Sandro Hawke, sandro@w3.org. Please send technical comments and questions about RIF to public-rif-comments@w3.org, a mailing list with a public archive at http://lists.w3.org/Archives/Public/public-rif-comments/ Intended usage: COMMON Restrictions on usage: None Author: The editor and contact for this media type registration is Sandro Hawke, sandro@w3.org. Change controller: RIF is a product of the Rule Interchange Format (RIF) Working Group of the World Wide Web Consortium (W3C). See http://www.w3.org/2005/rules/wg for information on the group. The W3C (currently acting through this working group) has change control over the RIF specification.
Received on Tuesday, 21 July 2009 00:12:00 UTC