Post-facto reporting of media type security considerations

[Bruce Lilly]

[This message has been sent to the ietf-types mailing list with a courtesy
copy to IANA (as IANA issues are raised); I have suggested responses
be directed to the ietf-types list]

There are some media types for which security issues have become known
since the original type registrations. RFC 2048 has a provision for reporting
such issues:

2.2.6.  Security Requirements
[...]
   The security considerations section of all registrations is subject
   to continuing evaluation and modification, and in particular may be
   extended by use of the "comments on media types" mechanism described
   in subsequent sections.

and

2.4.  Comments on Media Type Registrations

   Comments on registered media types may be submitted by members of the
   community to IANA.  These comments will be passed on to the "owner"
   of the media type if possible.  Submitters of comments may request
   that their comment be attached to the media type registration itself,
   and if IANA approves of this the comment will be made accessible in
   conjunction with the type registration itself.

RFC 2048 was issued nearly eight years ago, so I wonder if the procedure
listed there is still considered appropriate.  In particular, I have several
questions that members of this list might be qualified to answer:

1. Has this mechanism ever been used? [I have scanned several dozen
    media registrations, but could find no example of anything that
    looks like commentary attached to the media type registration]

2. Media types can be registered via a textual form alone, or in an RFC.
    It seems unlikely that IANA can attach comments to an RFC, as RFCs
    are supposed to remain unchanged once published.  There is a
    somewhat obscure errata page, but that's managed by the RFC
    Editor, not IANA.  I therefore believe that the RFC 2048 procedure
   as written is not entirely adequate. Comments?

3. Does IANA itself currently have the expertise to evaluate accuracy
    and applicability of submitted comments?  If not, who will IANA
    turn to for advice, and would it be prudent/advisable/acceptable
    for "submitters of comments" to copy them (assuming that
    submission of comments to IANA is still considered the applicable
    procedure)?

4. The RFC 2048 text mentions that comments will be forwarded to the
    media type "owner", and mentions IANA approval of comments.
    What procedures exist for conflict resolution? For example, suppose
    that the submitter of a textual registration which claimed "no
    known security issues" believes in security through obscurity (or
    is constrained by such a corporate employer's policy) and objects
    to having security comments attached to the registration (assume
    that substantial third-party corroboration of real security issues
    is provided with the comments); does the type "owner" have
    final say in the matter, does IANA have the authority to override
    such non-substantive objections, is there provision for IETF AD or
    IESG review if necessary, etc.?