AW: media type review requested for application/auth-policy+xml

[Tschofenig, Hannes]

Hi Mark, 

thanks for the quick response. Please find some comments inline:

> Hi,
> 
> On 4/13/06, Tschofenig, Hannes <hannes.tschofenig at siemens.com> wrote:
> > > - security section should also reference sec 10 of RFC 3023.
> >
> > Why do you think so?
> > I read through Section 10 of RFC 3023 and I don't think 
> that the aspects
> > there are applicable for our usage environment.
> 
> The aspects of security described in that section are quite generic,
> so I'd be surprised if that were the case.  Just as one example, do
> you rule out the use of external entities with auth-policy+xml?  If
> not, then that section is relevant as it describes some potential
> security problems with their use.
> 
> FWIW, I think any +xml type should reference it as a matter of course.

We have external entities updating and receiving the authorization
policies. 
However, we capture this issue already in the security consideration
section in the Common Policy draft. 

The additional issues listed in RFC 3023 regarding 
* validation, 
* system level command execution
* CSS style sheets, XSL transformations, 
* xmldsig usage
* change the display processor environment 

Still, I can, if you want, make a reference to RFC 3023 if you think
that this is, in general, a good idea. 

> 
> > > - I'd recommend picking a file extension specific to this 
> media type,
> > > as many Web servers come pre-configured to serve .xml files as
> > > application/xml, or even an RSS media type.
> > I don't care about the file extension. Can you
> > suggest something reasonable?
> 
> How about "apxml"?  I checked "apx", but it's been used before;
> 
> http://filext.com/detaillist.php?extdetail=apx&Search=Search
For me this sounds good. 
Still, I sent a mail to the Geopriv ML. 
	
Ciao
Hannes

> Cheers,
> 
> Mark.
> --
> Mark Baker.  Ottawa, Ontario, CANADA.       http://www.markbaker.ca
>