[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: IESG expert review for the registration request "xliff+xml"
Hi David, all,below is some input.
Am 28.01.2015 um 14:02 schrieb Dr. David Filip <David.Filip@ul.ie>:Hi all,IESG has reviewed our provisional media type registration and requested below changes/explanations.Given that we have only 30 days to provide the amended version, we should look into this immediately and pass a resolution in the meeting of 3rd February.The reviewer had two types of concern1) encoding considerations, which seems some misunderstanding that I will hopefully address with Robin2) which seems more serious, security considerationsThe reviewer is not happy with our statement that XLIFF has only standard XML security considerations.We not only have extensibility, as the reviewer suspects but we also have a few standardized ways how to embed or reference executables, so they require a description how to address related risks externally (or internally, be we do not have any internal methods to address that IMHO and AFAIK).I would very much appreciate if a TC member or a group of TC members who have experience with1) media type registrations: Felix?, Jirka?2) security handling of embedded executables: Fredrik?, Yves?, Jirka?This is just my best guess who might be the suspects best suited to address this.. Please do not hesitate to take part even if you are not one of the listed suspects!drafted the security considerations sections before our next meting, pretty much during this week.Thanks for your attentiondFDr. David Filip=======================OASIS XLIFF TC Secretary, Editor, and Liaison OfficerLRC | CNGL | CSISUniversity of Limerick, Irelandtelephone: +353-6120-2781cellphone: +353-86-0222-158facsimile: +353-6120-2734mailto: david.filip@ul.ie---------- Forwarded message ----------
From: Robin Cover <robin@oasis-open.org>
Date: Tue, Jan 27, 2015 at 11:06 PM
Subject: IESG expert review for the registration request "xliff+xml"
To: David Filip <David.Filip@ul.ie>
Cc: Robin Cover <robin@oasis-open.org>Hi David. Please see the communication below (received today) and the 30-day expectation formulated for a response to the IESG reviewer via the ticket system.They offer to answer questions, if necessary ("If you have any questions, please don't hesitate to contact us.")============Dear Robin,The IESG-designated expert has reviewed this request and returned the inline comments below. Please reply to this message within 30 days of 27 January with a revised version of the security considerations section and a response to the reviewer's question about encoding considerations.If you have any questions, please don't hesitate to contact us.Best regards,Amanda BaberIANA Request SpecialistICANN> Name : Robin Cover> Email : robin.cover@oasis-open.org> MIME media type name : Application> MIME subtype name : Standards Tree -xliff+xml> Required parameters : N/A> Optional parameters :> N/A> Encoding considerations : 8bitThis implies the XML only uses charsets such as utf-8, and never utf-16. Areyou sure this is what you want? I don't see anything in the specification thatlimits things to utf-8, although the examples are all in utf-8. Ifutf-16 and similar charsets can be used this needs to change to binary.Would write here: "Identical to those of "application/xml" as described in IETF RFC 3023, section 3.2, as applied to an XLIFF document."> Security considerations :> All of the security considerations described in RFC 7303This isn't close to adequate. All RFC 7303 is describe the generic securityconsiderations for XML; you need to document those that are specific to thistype or explain why there aren't any.I would write here:„An XLIFF document may cause arbitrary URIs or IRIs to be dereferenced, via the @@@ add here attributes that allow dereferencing @@@. Therefore, the security issues of [RFC 3987] Section 8 should be considered. In addition, the contents of resources identified by file: URIs can in some cases be accessed, processed and returned as results. Arbitrary recursion is possible, as is arbitrarily large memory usage, and implementations may place limits on CPU and memory usage, as well as restricting access to system-defined functions. XLIFF permit extensions. Hence it is possible that application/xliff+xml may describe content that has security implications beyond those described here.“This is based on the ITS 2.0 media type registration which was accepted, so it should be OK. You need to fill in one blank.Best,FelixIn discussing the security considerations for a media type it isnecessary to cover at least these points:(1) State whether or not the media type contains active or executablecontent. If the media type does contain executable content explainwhat measures have been taken to insure that it can be executedsafely, e.g. a sandbox, safe operation set, signed content, etc.(2) State whether or not the information contained in the media typeneeds privacy or integrity services.(3) If the answer to (2) is yes, elaborate on any privacy or integrityservices the media type itself provides, or if it doesn't provide suchservices, explain how they should be provided externally, e.g., throughthe use of SSL/TLS.I don't see anything about executable content in the specification, but thisneeds to be written by someone who knows for sure. I also note that XMLvocabularies are sometimes extensible (I didn't see that anywhere but I couldhave missed it) and if so that needs to be noted as a source of possibleexecutable content.I would expect there to be content of this sort that requires privacy orintegrity protection; it may or may not be appropriate to specify how thatwould be provided (e.g., externally with SSL/TLS or internally with XMLsignatures/encryption).> Interoperability considerations :> Same as interoperability considerations described in RFC 7303; also,> interoperability requirements are specified throughout the XLIFF specification> and summarized in its Conformance section> Published specification :> (a) XLIFF Version 2.0 (OASIS Standard, 05 August 2014 -http://docs.oasis-open.org/xliff/xliff-core/v2.0/os/xliff-core-v2.0-os.html ); supported by (b) Media Type Registration Template for XLIFF Version 2.0 ( http://docs.oasis-open.org/xliff/xliff-media/v2.0/xliff-media-v2.0.html )> Applications which use this media :> XLIFF conformant applications, according to the Conformance Section of thespecification ()> Fragment identifier considerations :> Generic XML processors will not be able to resolve XLIFF fragment> identifiers, as the fragment identification syntax is specific for XLIFF and> has been defined in its Fragment Identification section as of csd03/csprd03 of> XLIFF Version 2.0.> Restrictions on usage :> N/A> Provisional registration? (standards tree only) :> YES> Additional information :> 1. Deprecated alias names for this type : N/A> 2. Magic number(s) : N/A> 3. File extension(s) : xlf> 4. Macintosh file type code : "TEXT"> 5. Object Identifiers: N/A> Note with respect to field "5. Encoding considerations": The same as encoding considerations for application/xml as specified in RFC 7303> Person to contact for further information :> 1. Name : Robin Cover> 2. Email : robin.cover@oasis-open.org> Intended usage : Common> [No additional comment on "Intended usage"]> Author/Change controller : Authors: Tom Comerford (tom@supratext.com), David Filip( David.Filip@ul.ie), Yves Savourel (ysavourel@enlaso.com); Change control: OASIS Staff (Robin Cover)--Robin Cover
OASIS, Director of Information Services
Editor, Cover Pages and XML Daily Newslink
Email: robin@oasis-open.org
Staff bio: http://www.oasis-open.org/people/staff/robin-cover
Cover Pages: http://xml.coverpages.org/
Newsletter: http://xml.coverpages.org/newsletterArchive.html
Tel: +1 972-296-1783
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]