please review 'application/pdf'

Marc Mutz mutz at kde.org
Fri Oct 24 13:14:24 CEST 2003 

On Friday 24 October 2003 00:13, Chris Lilley wrote:
<snip>
> I also see
>
>    o Accessing the document in ways not permitted by the document's
>      access permissions is a violation of the document author's
>      copyright.
>
> This strikes me as a useful statement and I am pleased by its
> inclusion.
<snip>

I think I need to disagree here.

I don't think it's appropriate for a technical document to make 
assumptions on the intent of the author of a document, be it PDF or 
other. Or, for that matter, for a media type registration to mandate 
DRM. It might be that the document author just left the default values 
of whatever software she used to create the PDF and that software might 
default to restricting rights that the author may have freely granted 
otherwise. It may be that the document is the result of the conversion 
of a freely available Web page to PDF format (e.g. print to PDF) and 
that the creator of the document, as opposed to the creator of the 
content.

OTOH, the Security Consideration section misses a remark that PDF files 
contain compressed content and that the result of decompression might 
be very much larger than the file appears, which enables DoS attacks on 
MUAs and Web Browsers if not taken into account.

It also misses to mention if and to what extend meta data about the 
author or the authors system is present in the PDF file. Something 
along the lines of 

        PDF documents include document metadata such as the name of
        the author, etc. The PDF author may not have full control over
        what metadata is to be included. Therefore, use of this
        mimetype may lead to hidden leaking of possibly sensitive data.

Marc

-- 
It's one thing to accept a risk to your own data, but quite another to
standardize on something that imposes that risk on others, no matter
how unlikely you think it is that anything "really bad" will happen,
and no matter how desirable the outcome.  -- Bart Schaefer, on ietf-822
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://www.alvestrand.no/pipermail/ietf-types/attachments/20031024/c7bb0e2c/attachment-0002.bin

More information about the Ietf-types mailing list