Skip to content

Commit 35ef6bd

Browse files
committed
Update security considerations based on work in N-Quads.
Fixes #11.
1 parent e93ecf0 commit 35ef6bd

File tree

1 file changed

+17
-23
lines changed

1 file changed

+17
-23
lines changed

spec/index.html

Lines changed: 17 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1287,37 +1287,38 @@ <h2>Security Considerations</h2>
12871287
<p>The RDF Abstract Syntax is not used directly for conveying information,
12881288
although concrete serialization forms are specifically intended to do so.</p>
12891289

1290-
<p>Applications MAY evaluate given data to infer more assertions or to dereference IRIs,
1290+
<p>Applications MAY evaluate given data to infer more assertions or to dereference <a>IRIs</a>,
12911291
invoking the security considerations of the scheme for that IRI.
12921292
Note in particular, the privacy issues in [[RFC3023]] section 10 for HTTP IRIs.
12931293
Data obtained from an inaccurate or malicious data source may lead to inaccurate or misleading conclusions,
12941294
as well as the dereferencing of unintended IRIs.
1295-
Care must be taken to align the trust in consulted resources with the sensitivity of the intended use of the data;
1296-
inferences of potential medical treatments would likely require
1297-
different trust than inferences for trip planning.</p>
1295+
Care must be taken to align the trust in consulted resources with the sensitivity of
1296+
the intended use of the data;
1297+
inferences of potential medical treatments would likely require different trust than inferences
1298+
for trip planning.</p>
12981299

12991300
<p>RDF is used to express arbitrary application data;
13001301
security considerations will vary by domain of use.
13011302
Security tools and protocols applicable to text
1302-
(e.g., PGP encryption, MD5 sum validation, password-protected compression)
1303-
may also be used on RDF documents.
1303+
(for example, PGP encryption, checksum validation, password-protected compression)
1304+
may also be used on N-Quads documents.
13041305
Security/privacy protocols must be imposed which reflect the sensitivity of the embedded information.</p>
13051306

1306-
<p>RDF can express data which is presented to the user, for example, RDF Schema labels.
1307-
Applications rendering strings retrieved from untrusted RDF documents must ensure
1308-
that malignant strings may not be used to mislead the reader.
1309-
The security considerations in the media type registration for
1310-
XML ([[RFC3023]] section 10) provide additional guidance around the
1311-
expression of arbitrary data and markup.</p>
1307+
<p>RDF can express data which is presented to the user, such as RDF Schema labels.
1308+
Applications rendering strings retrieved from untrusted RDF documents,
1309+
or using unescaped characters,
1310+
SHOULD prevent such strings from being used to mislead the reader,
1311+
The security considerations in the media type registration for XML ([[!RFC3023]] section 10)
1312+
provide additional guidance around the expression of arbitrary data and markup.</p>
13121313

1313-
<p>RDF uses IRIs as term identifiers.
1314+
<p>RDF uses <a>IRIs</a> as term identifiers.
13141315
Applications interpreting data expressed in RDF SHOULD address the security issues of
13151316
[[[RFC3987]]] [[RFC3987]] Section 8,
13161317
as well as [[[RFC3986]]] [[RFC3986]] Section 7.</p>
13171318

1318-
<p>Multiple IRIs may have the same appearance
1319+
<p>Multiple <a>IRIs</a> may have the same appearance
13191320
Characters in different scripts may look similar
1320-
(a Cyrillic &quot;о&quot; may appear similar to a Latin &quot;o&quot;).
1321+
(a Cyrillic &quot;&#1086;&quot; may appear similar to a Latin &quot;o&quot;).
13211322
A character followed by combining characters may have the same visual representation
13221323
as another character (LATIN SMALL LETTER "E" followed by COMBINING ACUTE ACCENT
13231324
has the same visual representation as LATIN SMALL LETTER "E" WITH ACUTE).
@@ -1326,18 +1327,11 @@ <h2>Security Considerations</h2>
13261327
and avoid IRIs that make look similar.
13271328
Further information about matching of similar characters can be found
13281329
in [[[UNICODE-SECURITY]]] [[UNICODE-SECURITY]] and
1329-
[[[RFC3987]]] [[RFC3987]] Section 8.
1330-
</p>
1330+
[[[RFC3987]]] [[RFC3987]] Section 8.</p>
13311331

13321332
<p class="note">These considerations are a more generic form
13331333
of Security Considerations for [[RDF12-TURTLE]], [[RDF12-TRIG]], [[RDF12-N-TRIPLES]],
13341334
and [[RDF12-N-QUADS]].</p>
1335-
1336-
<p class="issue" data-number="11">
1337-
There's a concern that no implementations can be compliant as it is virtually
1338-
impossible forimplementations to ensure that malignant strings
1339-
cannot be used to mislead the reader.
1340-
</p>
13411335
</section>
13421336

13431337
<section id="internationalization">

0 commit comments

Comments
 (0)