Re: [websec] Issue 17: Registry for magic numbers

Mon, 24 Oct 2011 21:10:51 -0700 

On 25/10/11 03:34, Adam Barth wrote:

On Mon, Oct 24, 2011 at 7:32 PM, Anne van Kesteren<[email protected]>  wrote:

On Tue, 25 Oct 2011 11:21:35 +0900, Adam Barth<[email protected]>  wrote:

http://trac.tools.ietf.org/wg/websec/trac/ticket/17 refers to an IANA
registry with magic numbers for various media types.  I wanted to
compare them to what's in the draft, but I couldn't find it.  I found
the media type registry, e.g., for images:

http://www.iana.org/assignments/media-types/image/index.html

but I don't see any magic numbers.  Would someone be willing to point
me in the right direction?

I don't think using a registry is a good idea. When a new MIME type comes
along it needs to be determined at that point whether or not we want to
sniff for it. E.g. for image/svg+xml, a new image MIME type, we decided we
would not sniff for it.

I suppose we could somehow encode all that information in a registry, but I
do not see it making things any better for implementors.

Yeah, I don't think a registry is a good idea either.  Constructing
these signatures is too subtle, but I wanted to give the idea a fair
shake.  Looking at the existing registry will give us a sense for its
quality.

Adam
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec


The existing registry is here:
http://www.iana.org/assignments/media-types/index.html
And if you want to see how things look like for one Mime-type:
e.g. for html: http://events.linkedin.com/Ietf-82/pub/803707
(as you can see it is very short and easy to register a mime-type...)

On a technical note:
There might be a good reason for the registry over only by RFC: The RFC will remain static (though you can update it with another draft, this should not necessarily be the main intention from the get-go doing on a regular basis). A registry is dynamic, so you can add information easily later (by RFC or expert review, ...) - adding mime-types is easy and we could enrich the registration of mime-types by the information you need to decide on whether to sniff and how.... 

Kind regards, Tobias




_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec

Reply via email to