Yeah, I think we're much better off creating a new registry rather than using the MIME registry. The truth is that most MIME types that get registered don't need sniffing rules. The only ones that need it are the legacy ones and the ones browser vendor cause to need it because of the prisoner's dilemma in the browser market.
Adam On Tue, Oct 25, 2011 at 8:52 PM, Tobias Gondrom <[email protected]> wrote: > <hat="individual"> > For me the point is, currently we have a table in the document, which inside > an RFC is rather static and hard to extend. > So it looks like a good case for a registry to allow for extendibility for > new mime-types. (e.g. we keep the table in the document, create an IANA > registry, copy the values to the registry and allow for future entries by > expert review) > That can either be added to the current Mime-type registry, or we create a > new one (e.g. within the websec namespace) with only these elements. > > Just my 5cents. > > Tobias > > > > On 25/10/11 05:23, Adam Barth wrote: >> >> On Mon, Oct 24, 2011 at 9:07 PM, "Martin J. Dürst" >> <[email protected]> wrote: >>> >>> On 2011/10/25 11:21, Adam Barth wrote: >>>> >>>> http://trac.tools.ietf.org/wg/websec/trac/ticket/17 refers to an IANA >>>> registry with magic numbers for various media types. I wanted to >>>> compare them to what's in the draft, but I couldn't find it. I found >>>> the media type registry, e.g., for images: >>>> >>>> http://www.iana.org/assignments/media-types/image/index.html >>>> >>>> but I don't see any magic numbers. Would someone be willing to point >>>> me in the right direction? >>> >>> They are in the templates. To get the template for a registration, start >>> at >>> the overview page >>> (http://www.iana.org/assignments/media-types/index.html). >>> >>> Then go to the page that lists all the registration for a give top level, >>> e.g. http://www.iana.org/assignments/media-types/image/index.html for >>> images. >>> >>> Then look at each registration template (click on the link in the left >>> column, or in the right column if the left one doesn't have a link and >>> the >>> right one is to an RFC). You may then find a magic number in the >>> registration template. As an example, for image/jp2, the template is at >>> http://www.iana.org/assignments/media-types/image/jp2. >>> >>> But it looks like earlier templates didn't have a field for a magic >>> number, >>> and this and the reasons Anne gave make this information helpful for >>> cross-checking, but not much more. >> >> == Images == >> >> PNG has a registration template >> <http://www.iana.org/assignments/media-types/image/png>, but lacks a >> signature. >> JPEG doesn't have a template. >> GIF doesn't have a template. >> BMP isn't even registered. >> WEBP isn't even registered. >> ICO has a registration template >> <http://www.iana.org/assignments/media-types/image/vnd.microsoft.icon> >> and has the correct signature. Yay! >> >> == Text == >> >> HTML lacks a registration template. >> >> == Application == >> >> PDF doesn't have a template. >> Postscript doesn't have a template. >> OGG doesn't have a template. >> RAR isn't even registered. >> ZIP has a registration template >> <http://www.iana.org/assignments/media-types/application/zip>, but >> lacks a signature. >> GZIP isn't even registered. >> RSS isn't even registered. >> Atom lacks a registration template. >> >> == Audio == >> >> WAV isn't even registered. >> >> == Video == >> >> MP4 lacks a registration template. >> WebM isn't even registered. >> >> This does not look like a promising approach. Note: I haven't even >> looked through all the registrations to see how many have signatures >> that we shouldn't be using. >> >> Adam >> _______________________________________________ >> websec mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/websec > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
