Extract Security Considerations from PR #17.

spec/index.html

@@ -281,6 +281,66 @@ <h2>A Canonical form of N-Quads</h2>
   </div>
 </section>
 
+<section id="privacy-considerations">
+  <h2>Privacy Considerations</h2>
+  <p class="ednote">TODO</p>  
+</section>
+
+<section id="security">
+  <h2>Security Considerations</h2>
+
+  <p>The <a href="#grammar-production-STRING_LITERAL_QUOTE">STRING_LITERAL_QUOTE</a>
+    production allows the use of unescaped control characters.
+    Although this specification does not directly expose this content to an end user,
+    it might be presented through a user agent, which may cause the presented text to 
+    be obfuscated due to presentation of such characters.</p>
+
+  <p>N-Quads is a general-purpose assertion language;
+    applications may evaluate given data to infer more assertions or to dereference <a data-cite="RDF12-CONCEPTS#dfn-iri">IRIs</a>,
+    invoking the security considerations of the scheme for that IRI.
+    Note in particular, the privacy issues in [[RFC3023]] section 10 for HTTP IRIs.
+    Data obtained from an inaccurate or malicious data source may lead to inaccurate or misleading conclusions,
+    as well as the dereferencing of unintended IRIs.
+    Care must be taken to align the trust in consulted resources with the sensitivity of
+    the intended use of the data;
+    inferences of potential medical treatments would likely require different trust than inferences
+    for trip planning.</p>
+
+  <p>The N-Quads language is used to express arbitrary application data;
+    security considerations will vary by domain of use.
+    Security tools and protocols applicable to text
+    (for example, PGP encryption, checksum validation, password-protected compression)
+    may also be used on N-Quads documents.
+    Security/privacy protocols must be imposed which reflect the sensitivity of the embedded information.</p>
+
+  <p>N-Quads can express data which is presented to the user, such as RDF Schema labels.
+    Applications rendering strings retrieved from untrusted N-Quads documents,
+    or using unescaped characters,
+    SHOULD use warnings and other appropriate means to limit the possibility
+    that malignant strings might be used to mislead the reader.
+    The security considerations in the media type registration for XML ([[!RFC3023]] section 10)
+    provide additional guidance around the expression of arbitrary data and markup.</p>
+
+  <p>N-Quads uses <a data-cite="RDF12-CONCEPTS#dfn-iri">IRIs</a> as term identifiers.
+    Applications interpreting data expressed in N-Quads SHOULD address the security issues of
+    [[[!RFC3987]]] [[!RFC3987]] Section 8, as well as
+    [[[!RFC3986]]] [[!RFC3986]] Section 7.</p>
+
+  <p>Multiple <a data-cite="RDF12-CONCEPTS#dfn-iri">IRIs</a> may have the same appearance.
+    Characters in different scripts may look similar (for instance,
+    a Cyrillic &quot;&#1086;&quot; may appear similar to a Latin &quot;o&quot;).
+    A character followed by combining characters may have the same visual representation
+    as another character (for example, LATIN SMALL LETTER "E" followed by COMBINING ACUTE
+    ACCENT has the same visual representation as LATIN SMALL LETTER "E" WITH ACUTE).
+    <!-- (<code>foo:resum&#40751;code> and <code>f&#1086;&#1086;:resume&#769;</code>)-->
+    Any person or application that is writing or interpreting data in N-Quads
+    must take care to use the IRI that matches the intended semantics,
+    and avoid IRIs that may look similar.
+    Further information about matching of similar characters can be found
+    in [[[UNICODE-SECURITY]]] [[UNICODE-SECURITY]] and
+    [[[RFC3987]]] [[RFC3987]] Section 8.</p>
+</section>
+
 <section id="conformance">
   <p>This specification defines conformance criteria for:</p>
   <ul>
@@ -478,6 +538,8 @@ <h2>Changes between RDF 1.1 and RDF 1.2</h2>
       better mirroring [[RDF12-TURTLE]].</li>
     <li>Updated the <a href="#grammar-production-PN_CHARS_U">PN_CHARS_U</a>
       grammar production to be consisten with with Turtle.</li>
+    <li>Separate <a href="#security"></a> from <a href="#sec-mediatype"></a>
+      and update language.</li>
   </ul>
 </section>
 
@@ -513,47 +575,7 @@ <h2>N-Quads Internet Media Type, File Extension and Macintosh File Type </h2>
     <dd>Unicode code points may also be expressed using an \uXXXX (U+0 to U+FFFF)
       or \UXXXXXXXX syntax (for U+10000 onwards) where X is a hexadecimal digit [0-9A-F]</dd>
     <dt>Security considerations:</dt>
-    <dd>N-Quads is a general-purpose assertion language;
-      applications may evaluate given data to infer more assertions or to dereference IRIs,
-      invoking the security considerations of the scheme for that IRI.
-      Note in particular, the privacy issues in [[!RFC3023]] section 10 for HTTP IRIs.
-      Data obtained from an inaccurate or malicious data source may lead to inaccurate or misleading conclusions,
-      as well as the dereferencing of unintended IRIs.
-      Care must be taken to align the trust in consulted resources with the sensitivity of
-      the intended use of the data;
-      inferences of potential medical treatments would likely require different trust than inferences
-      for trip planning.</dd>
-
-    <dd>N-Quads is used to express arbitrary application data; security considerations
-      will vary by domain of use. Security tools and protocols applicable to text
-      (e.g. PGP encryption, MD5 sum validation, password-protected compression)
-      may also be used on N-Quads documents.
-      Security/privacy protocols must be imposed which reflect the sensitivity of the embedded information.</dd>
-    <dd>N-Quads can express data which is presented to the user, for example, RDF Schema labels.
-      Application rendering strings retrieved from untrusted N-Quads documents
-      must ensure that malignant strings may not be used to mislead the reader.
-      The security considerations in the media type registration for XML ([[!RFC3023]] section 10)
-      provide additional guidance around the expression of arbitrary data and markup.</dd>
-    <dd>N-Quads uses IRIs as term identifiers.
-      Applications interpreting data expressed in N-Quads should address the security issues of
-      [[[!RFC3987]]] [[!RFC3987]] Section 8, as well as
-      [[[!RFC3986]]] [[!RFC3986]] Section 7.</dd>
-
-    <dd>Multiple IRIs may have the same appearance. Characters in different scripts may
-      look similar (a Cyrillic &quot;&#1086;&quot; may appear similar to a Latin &quot;o&quot;).
-      A character followed by combining characters may have the same visual representation
-      as another character
-      (LATIN SMALL LETTER E followed by COMBINING ACUTE ACCENT has the same visual representation
-      as LATIN SMALL LETTER E WITH ACUTE).
-      <!-- (<code>foo:resum&#40751;code> and <code>f&#1086;&#1086;:resume&#769;</code>)-->
-      Any person or application that is writing or interpreting data in
-      TriG must take care to use the IRI that matches the intended semantics,
-      and avoid IRIs that make look similar.
-      Further information about matching of similar characters can be found
-      in [[[UNICODE-SECURITY]]] [[UNICODE-SECURITY]] and
-       [[[RFC3987]]] [[RFC3987]] Section 8.
-    </dd>
-
+    <dd>See <a href="#security" class="sectionRef"></a>.</dd>
     <dt>Interoperability considerations:</dt>
     <dd>There are no known interoperability issues.</dd>
     <dt>Published specification:</dt>