The following media type registration is currently published as part of
a W3C Last Call Working Draft [1] and will soon be submitted to the IESG
for review, approval, and registration with IANA (as per [2]).
At this point, we would appreciate comments on this registration
information. If you see any problems, please let us know.
(It's tempting to say a few words about RIF here, but I suppose I should
let the registration stand on its own. It does includes links to the
specification and to the Working Group home page.)
-- Sandro
[1]
http://www.w3.org/TR/2008/WD-rif-bld-20080730/#Appendix:_RIF_Media_Type_Registration
[2] http://www.w3.org/2002/06/registering-mediatype
================================================================
Type name: application
Subtype name: rif+xml
Required parameters: none
Optional parameters: charset, as per RFC 3023 (XML Media Types)
Encoding considerations: same as RFC 3023 (XML Media Types)
Security considerations:
Systems which consume RIF documents are potentially vulnerable
to attack by malicious producers of RIF documents. The
vulnerabilities and forms of attack are similar to those of
other Web-based formats with programming or scripting
capabilities, such as HTML with embedded Javascript.
Excessive Resource Use / Denial of Service Attacks
Full and complete processing of a RIF document, even one
conforming to the RIF-BLD dialect, may require unlimited CPU
and memory resources. Through the use of "import", it may
also require arbitrary URI dereferencing, which may consume
all available network resources on the consuming system or
other systems. RIF consuming systems SHOULD implement
reasonable defenses against these attacks.
Exploiting Implementation Flaws
RIF is a relatively complex format, and rule engines can be
extremely sophisticated, so it is likely that some RIF
consuming systems will have bugs which allow specially
constructed RIF documents to perform inappropriate
operations. We urge RIF implementors to make systems which
carefully anticipate and handle all possible inputs,
including those which present syntactic or semantic errors.
External (Application) Functions
Because RIF may be extended with local, application defined
datatypes and functions, arbitrary vulnerabilities may be
introduced. Before being installed on systems which consume
untrusted RIF documents, these external functions should be
closely reviewed for their own vulnerabilities and for the
vulnerabilities that may occur when they are used in
unexpected combinations, like "cross-site scripting"
attacks.
In addition, as this media type uses the "+xml" convention, it
shares the same security considerations as other XML formats;
see RFC 3023 (XML Media Types).
Interoperability considerations:
This media type is intended to be shared with other RIF
dialects, to be specified in the future. Interoperation
between the dialects is governed by the RIF specifications.
Published specification:
RIF Basic Logic Dialect
W3C Working Draft (Recommendation Track)
http://www.w3.org/TR/rif-bld/
This media type is intended to be shared with other RIF
dialects, to be specified in the future.
Applications that use this media type:
Unknown at the time of this draft. Multiple applications are
expected, however, before the specification reaches W3C
Proposed Recommendation status.
Additional information:
Magic number(s):
As with XML in general (See RFC 3023 (XML Media Types)),
there is no magic number for this format.
However, the XML namespace "http://www.w3.org/2007/rif#" will
normally be present in the document. It may theoretically
be missing if the document uses XML entities in an
obfuscatory manner.
The hex form of that namespace will depend on the charset.
For utf-8, the hex is: 68 74 74 70 3a 2f 2f 77 77 77 2e 77
33 2e 6f 72.
File extension(s):
.rif (or .xml)
Macintosh file type code(s):
"TEXT" (like other XML)
Person & email address to contact for further information:
Sandro Hawke, sandro(_at_)w3(_dot_)org(_dot_) Please send technical
comments
and questions about RIF to public-rif-comments(_at_)w3(_dot_)org, a
mailing list with a public archive at
http://lists.w3.org/Archives/Public/public-rif-comments/
Intended usage:
COMMON
Restrictions on usage:
None
Author:
The editor and contact for this media type registration is
Sandro Hawke, sandro(_at_)w3(_dot_)org(_dot_)
Change controller:
RIF is a product of the Rule Interchange Format (RIF) Working
Group of the World Wide Web Consortium (W3C). See
http://www.w3.org/2005/rules/wg for information on the group.
The W3C (currently acting through this working group) has
change control over the RIF specification.
(Any other information that the author deems interesting may be added
below this line.)