- From: Roy T. Fielding <fielding@apache.org>
- Date: Wed, 9 Jul 2003 23:03:47 +0200
- To: Dan Connolly <connolly@w3.org>
- Cc: "Ian B. Jacobs" <ij@w3.org>, www-tag@w3.org
On Wednesday, July 9, 2003, at 10:17 PM, Dan Connolly wrote: > On Wed, 2003-07-09 at 15:03, Roy T. Fielding wrote: > [... several points I don't take issue with...] >> However, a receiving application can, with very high reliability, >> determine the character encoding of an XML document by reading it >> >> Sorry, that is completely false. > > No need to apologize; just present some evidence. > I'm pretty confident it is true "with very high > reliability." > > The design is presented in... > > F Autodetection of Character Encodings (Non-Normative) > http://www.w3.org/TR/REC-xml#sec-guessing > > and implementations are widespread and highly reliable. No, they are highly consistent. Reliable would mean that they wouldn't allow an interpretation of the content that differed from that described in the media type, since it is the media type that is authoritative. >> Folks should read the number of >> security vulnerabilities caused by such thinking before declaring >> that it is the case. > > For example? Do they involve XML? Do a google search on cross-site scripting. Not yet, unless you count XHTML, but that's only because people don't use XML for the delivery of Internet content (only for storage). I don't know if the browser XML parsers are set up yet to evaluate javascript within attribute values, but they will eventually. >> BTW, on a related point, I will note that the W3C working groups >> responsible for all of the exceptions requested on this point have >> still failed to register their media types with IANA. I just spent >> an hour digging though the W3C site to pick up some of these types >> for the Apache configuration file, since I am tired of waiting for >> the appropriate authors. People claiming that the registration >> process is slow should be ashamed of themseleves -- there are dozens >> of new types since the last update with far less applicability and >> deployment. The only organization that seems incapable of >> registering deployed types is the W3C. Whatever the problem is, >> it sure as heck isn't the IANA process. > > You are way, way out of line, Roy. Don't jump to the conclusion > that the authors are at fault. > > The IESG is on record as having repeatedly dropped the > ball on W3C registrations. See > http://www.w3.org/2003/06/17-w3c-ietf#mimereg > and the paper trail going back at least a year on this > http://lists.w3.org/Archives/Public/public-ietf-w3c/2002Aug/0000.html At no point has the IESG ever been responsible for media type registrations, as is clearly documented in the RFCs that define the process for those registrations. All you have to do is follow that process and the RFC editor will publish the RFC and the result is an IETF-branch media type. That's all there is to it. Maybe the problem the W3C is encountering is because you are talking to the wrong people. I'll repeat this again: The organization that is having problems registering media types is the W3C. Having just updated the mime.types file for Apache 2.1, I can assure you that IANA does register all types for which it has received appropriate notice, even if those types are in the non-vendor branch and the specifications have not yet been assigned RFC numbers. As near as I can tell, the reason that the W3C is having problems is because of the self-defeatist attitude that it is due to the IETF process, rather than a failure on the part of specification authors to follow-through on that process. > I'll thank you to be constructive an present your evidence or > just keep your comments to yourself. And I'll thank you and the rest of the W3C when you stop bitching about how the IETF works and how Web servers are configured, at least until you get off your duff and do the boring work necessary to make a standard authoritative. I am really tired of reading press releases about W3C accomplishments when none of it gets enabled on the Web until someone at Apache makes it happen. Follow through. ....Roy
Received on Thursday, 10 July 2003 01:02:52 UTC