Post-facto reporting of media type security considerations

Martin Duerst duerst at w3.org
Tue Oct 19 05:17:34 CEST 2004 

The new registration procedure for mime types is at
http://www.ietf.org/internet-drafts/draft-freed-media-type-reg-01.txt.
That doesn't seem to do away with the "Comments on Media Type Registrations".
I agree that this section has some problems. The new registration
process also allows registrations directly from standards bodies
outside the IETF (with IESG approval). While for example the W3C
has a better working system for dealing with errata (there is
a link to an errata page from each W3C Recommendation, and
there is even a direct link for the TR page
(http://www.w3.org/TR/#Recommendations)), that may be different
for other standards organizations. Also, there is not necessarily
a guarantee that a request from IANA for an erratum would be
honored, or that the IANA would know how to go about notifying
the right place if they received a comment.

Regards,     Martin.

P.S.: It seems that our setting of the 'Reply-To' header has
       prompted the IANA anti-spam system to send its message to
       the list rather than to you only. Any way, on either your
       or IANAs side, to avoid that?


At 23:08 04/10/18, Bruce Lilly wrote:
 >[This message has been sent to the ietf-types mailing list with a courtesy
 >copy to IANA (as IANA issues are raised); I have suggested responses
 >be directed to the ietf-types list]
 >
 >There are some media types for which security issues have become known
 >since the original type registrations. RFC 2048 has a provision for reporting
 >such issues:
 >
 >2.2.6.  Security Requirements
 >[...]
 >   The security considerations section of all registrations is subject
 >   to continuing evaluation and modification, and in particular may be
 >   extended by use of the "comments on media types" mechanism described
 >   in subsequent sections.
 >
 >and
 >
 >2.4.  Comments on Media Type Registrations
 >
 >   Comments on registered media types may be submitted by members of the
 >   community to IANA.  These comments will be passed on to the "owner"
 >   of the media type if possible.  Submitters of comments may request
 >   that their comment be attached to the media type registration itself,
 >   and if IANA approves of this the comment will be made accessible in
 >   conjunction with the type registration itself.
 >
 >RFC 2048 was issued nearly eight years ago, so I wonder if the procedure
 >listed there is still considered appropriate.  In particular, I have several
 >questions that members of this list might be qualified to answer:
 >
 >1. Has this mechanism ever been used? [I have scanned several dozen
 >    media registrations, but could find no example of anything that
 >    looks like commentary attached to the media type registration]
 >
 >2. Media types can be registered via a textual form alone, or in an RFC.
 >    It seems unlikely that IANA can attach comments to an RFC, as RFCs
 >    are supposed to remain unchanged once published.  There is a
 >    somewhat obscure errata page, but that's managed by the RFC
 >    Editor, not IANA.  I therefore believe that the RFC 2048 procedure
 >   as written is not entirely adequate. Comments?
 >
 >3. Does IANA itself currently have the expertise to evaluate accuracy
 >    and applicability of submitted comments?  If not, who will IANA
 >    turn to for advice, and would it be prudent/advisable/acceptable
 >    for "submitters of comments" to copy them (assuming that
 >    submission of comments to IANA is still considered the applicable
 >    procedure)?
 >
 >4. The RFC 2048 text mentions that comments will be forwarded to the
 >    media type "owner", and mentions IANA approval of comments.
 >    What procedures exist for conflict resolution? For example, suppose
 >    that the submitter of a textual registration which claimed "no
 >    known security issues" believes in security through obscurity (or
 >    is constrained by such a corporate employer's policy) and objects
 >    to having security comments attached to the registration (assume
 >    that substantial third-party corroboration of real security issues
 >    is provided with the comments); does the type "owner" have
 >    final say in the matter, does IANA have the authority to override
 >    such non-substantive objections, is there provision for IETF AD or
 >    IESG review if necessary, etc.?

More information about the Ietf-types mailing list