please review 'application/pdf'
Marc Mutz
mutz at kde.org
Fri Oct 24 13:14:24 CEST 2003
On Friday 24 October 2003 00:13, Chris Lilley wrote:
<snip>
> I also see
>
> o Accessing the document in ways not permitted by the document's
> access permissions is a violation of the document author's
> copyright.
>
> This strikes me as a useful statement and I am pleased by its
> inclusion.
<snip>
I think I need to disagree here.
I don't think it's appropriate for a technical document to make
assumptions on the intent of the author of a document, be it PDF or
other. Or, for that matter, for a media type registration to mandate
DRM. It might be that the document author just left the default values
of whatever software she used to create the PDF and that software might
default to restricting rights that the author may have freely granted
otherwise. It may be that the document is the result of the conversion
of a freely available Web page to PDF format (e.g. print to PDF) and
that the creator of the document, as opposed to the creator of the
content.
OTOH, the Security Consideration section misses a remark that PDF files
contain compressed content and that the result of decompression might
be very much larger than the file appears, which enables DoS attacks on
MUAs and Web Browsers if not taken into account.
It also misses to mention if and to what extend meta data about the
author or the authors system is present in the PDF file. Something
along the lines of
PDF documents include document metadata such as the name of
the author, etc. The PDF author may not have full control over
what metadata is to be included. Therefore, use of this
mimetype may lead to hidden leaking of possibly sensitive data.
Marc
--
It's one thing to accept a risk to your own data, but quite another to
standardize on something that imposes that risk on others, no matter
how unlikely you think it is that anything "really bad" will happen,
and no matter how desirable the outcome. -- Bart Schaefer, on ietf-822
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://www.alvestrand.no/pipermail/ietf-types/attachments/20031024/c7bb0e2c/attachment-0002.bin
More information about the Ietf-types
mailing list