Update security considerations based on work in N-Quads.

gkellogg · gkellogg · commit 35ef6bdc1df2 · 2023-02-17T14:23:24.000-08:00
Fixes #11.
diff --git a/spec/index.html b/spec/index.html
@@ -1287,37 +1287,38 @@ <h2>Security Considerations</h2>
   <p>The RDF Abstract Syntax is not used directly for conveying information,
     although concrete serialization forms are specifically intended to do so.</p>
 
-  <p>Applications MAY evaluate given data to infer more assertions or to dereference IRIs,
+  <p>Applications MAY evaluate given data to infer more assertions or to dereference <a>IRIs</a>,
     invoking the security considerations of the scheme for that IRI.
     Note in particular, the privacy issues in [[RFC3023]] section 10 for HTTP IRIs.
     Data obtained from an inaccurate or malicious data source may lead to inaccurate or misleading conclusions,
     as well as the dereferencing of unintended IRIs.
-    Care must be taken to align the trust in consulted resources with the sensitivity of the intended use of the data;
-    inferences of potential medical treatments would likely require
-    different trust than inferences for trip planning.</p>
+    Care must be taken to align the trust in consulted resources with the sensitivity of
+    the intended use of the data;
+    inferences of potential medical treatments would likely require different trust than inferences
+    for trip planning.</p>
 
   <p>RDF is used to express arbitrary application data;
     security considerations will vary by domain of use.
     Security tools and protocols applicable to text
-    (e.g., PGP encryption, MD5 sum validation, password-protected compression)
-    may also be used on RDF documents.
+    (for example, PGP encryption, checksum validation, password-protected compression)
+    may also be used on N-Quads documents.
     Security/privacy protocols must be imposed which reflect the sensitivity of the embedded information.</p>
 
-  <p>RDF can express data which is presented to the user, for example, RDF Schema labels.
-    Applications rendering strings retrieved from untrusted RDF documents must ensure
-    that malignant strings may not be used to mislead the reader.
-    The security considerations in the media type registration for
-    XML ([[RFC3023]] section 10) provide additional guidance around the
-    expression of arbitrary data and markup.</p>
+  <p>RDF can express data which is presented to the user, such as RDF Schema labels.
+    Applications rendering strings retrieved from untrusted RDF documents,
+    or using unescaped characters,
+    SHOULD prevent such strings from being used to mislead the reader,
+    The security considerations in the media type registration for XML ([[!RFC3023]] section 10)
+    provide additional guidance around the expression of arbitrary data and markup.</p>
 
-  <p>RDF uses IRIs as term identifiers.
+  <p>RDF uses <a>IRIs</a> as term identifiers.
     Applications interpreting data expressed in RDF SHOULD address the security issues of
     [[[RFC3987]]] [[RFC3987]] Section 8,
     as well as [[[RFC3986]]] [[RFC3986]] Section 7.</p>
 
-  <p>Multiple IRIs may have the same appearance
+  <p>Multiple <a>IRIs</a> may have the same appearance
      Characters in different scripts may look similar
-     (a Cyrillic &quot;о&quot; may appear similar to a Latin &quot;o&quot;).
+     (a Cyrillic &quot;&#1086;&quot; may appear similar to a Latin &quot;o&quot;).
      A character followed by combining characters may have the same visual representation
      as another character (LATIN SMALL LETTER "E" followed by COMBINING ACUTE ACCENT
      has the same visual representation as LATIN SMALL LETTER "E" WITH ACUTE).
@@ -1326,18 +1327,11 @@ <h2>Security Considerations</h2>
      and avoid IRIs that make look similar.
      Further information about matching of similar characters can be found
      in [[[UNICODE-SECURITY]]] [[UNICODE-SECURITY]] and
-     [[[RFC3987]]] [[RFC3987]] Section 8.
-  </p>
+     [[[RFC3987]]] [[RFC3987]] Section 8.</p>
 
   <p class="note">These considerations are a more generic form
     of Security Considerations for [[RDF12-TURTLE]], [[RDF12-TRIG]], [[RDF12-N-TRIPLES]],
     and [[RDF12-N-QUADS]].</p>
-
-  <p class="issue" data-number="11">
-    There's a concern that no implementations can be compliant as it is virtually
-    impossible forimplementations to ensure that malignant strings
-    cannot be used to mislead the reader.
-  </p>
 </section>
 
 <section id="internationalization">
