From a91857e2ede9319d438268ef7501e5b088e618c7 Mon Sep 17 00:00:00 2001 From: Gregg Kellogg Date: Tue, 21 Feb 2023 09:18:04 -0800 Subject: [PATCH 1/4] Extract Security Considerations from PR #17. --- spec/index.html | 104 +++++++++++++++++++++++++++++------------------- 1 file changed, 63 insertions(+), 41 deletions(-) diff --git a/spec/index.html b/spec/index.html index 20ac892..56d0909 100644 --- a/spec/index.html +++ b/spec/index.html @@ -281,6 +281,66 @@

A Canonical form of N-Quads

+
+

Privacy Considerations

+

TODO

+
+ +
+

Security Considerations

+ +

The STRING_LITERAL_QUOTE + production allows the use of unescaped control characters. + Although this specification does not directly expose this content to an end user, + it might be presented through a user agent, which may cause the presented text to + be obfuscated due to presentation of such characters.

+ +

N-Quads is a general-purpose assertion language; + applications may evaluate given data to infer more assertions or to dereference IRIs, + invoking the security considerations of the scheme for that IRI. + Note in particular, the privacy issues in [[RFC3023]] section 10 for HTTP IRIs. + Data obtained from an inaccurate or malicious data source may lead to inaccurate or misleading conclusions, + as well as the dereferencing of unintended IRIs. + Care must be taken to align the trust in consulted resources with the sensitivity of + the intended use of the data; + inferences of potential medical treatments would likely require different trust than inferences + for trip planning.

+ +

The N-Quads language is used to express arbitrary application data; + security considerations will vary by domain of use. + Security tools and protocols applicable to text + (for example, PGP encryption, checksum validation, password-protected compression) + may also be used on N-Quads documents. + Security/privacy protocols must be imposed which reflect the sensitivity of the embedded information.

+ +

N-Quads can express data which is presented to the user, such as RDF Schema labels. + Applications rendering strings retrieved from untrusted N-Quads documents, + or using unescaped characters, + SHOULD use warnings and other appropriate means to limit the possibility + that malignant strings might be used to mislead the reader. + The security considerations in the media type registration for XML ([[!RFC3023]] section 10) + provide additional guidance around the expression of arbitrary data and markup.

+ +

N-Quads uses IRIs as term identifiers. + Applications interpreting data expressed in N-Quads SHOULD address the security issues of + [[[!RFC3987]]] [[!RFC3987]] Section 8, as well as + [[[!RFC3986]]] [[!RFC3986]] Section 7.

+ +

Multiple IRIs may have the same appearance. + Characters in different scripts may look similar (for instance, + a Cyrillic "о" may appear similar to a Latin "o"). + A character followed by combining characters may have the same visual representation + as another character (for example, LATIN SMALL LETTER "E" followed by COMBINING ACUTE + ACCENT has the same visual representation as LATIN SMALL LETTER "E" WITH ACUTE). + + Any person or application that is writing or interpreting data in N-Quads + must take care to use the IRI that matches the intended semantics, + and avoid IRIs that may look similar. + Further information about matching of similar characters can be found + in [[[UNICODE-SECURITY]]] [[UNICODE-SECURITY]] and + [[[RFC3987]]] [[RFC3987]] Section 8.

+
+

This specification defines conformance criteria for:

@@ -513,47 +575,7 @@

N-Quads Internet Media Type, File Extension and Macintosh File Type

Unicode code points may also be expressed using an \uXXXX (U+0 to U+FFFF) or \UXXXXXXXX syntax (for U+10000 onwards) where X is a hexadecimal digit [0-9A-F]
Security considerations:
-
N-Quads is a general-purpose assertion language; - applications may evaluate given data to infer more assertions or to dereference IRIs, - invoking the security considerations of the scheme for that IRI. - Note in particular, the privacy issues in [[!RFC3023]] section 10 for HTTP IRIs. - Data obtained from an inaccurate or malicious data source may lead to inaccurate or misleading conclusions, - as well as the dereferencing of unintended IRIs. - Care must be taken to align the trust in consulted resources with the sensitivity of - the intended use of the data; - inferences of potential medical treatments would likely require different trust than inferences - for trip planning.
- -
N-Quads is used to express arbitrary application data; security considerations - will vary by domain of use. Security tools and protocols applicable to text - (e.g. PGP encryption, MD5 sum validation, password-protected compression) - may also be used on N-Quads documents. - Security/privacy protocols must be imposed which reflect the sensitivity of the embedded information.
-
N-Quads can express data which is presented to the user, for example, RDF Schema labels. - Application rendering strings retrieved from untrusted N-Quads documents - must ensure that malignant strings may not be used to mislead the reader. - The security considerations in the media type registration for XML ([[!RFC3023]] section 10) - provide additional guidance around the expression of arbitrary data and markup.
-
N-Quads uses IRIs as term identifiers. - Applications interpreting data expressed in N-Quads should address the security issues of - [[[!RFC3987]]] [[!RFC3987]] Section 8, as well as - [[[!RFC3986]]] [[!RFC3986]] Section 7.
- -
Multiple IRIs may have the same appearance. Characters in different scripts may - look similar (a Cyrillic "о" may appear similar to a Latin "o"). - A character followed by combining characters may have the same visual representation - as another character - (LATIN SMALL LETTER E followed by COMBINING ACUTE ACCENT has the same visual representation - as LATIN SMALL LETTER E WITH ACUTE). - - Any person or application that is writing or interpreting data in - TriG must take care to use the IRI that matches the intended semantics, - and avoid IRIs that make look similar. - Further information about matching of similar characters can be found - in [[[UNICODE-SECURITY]]] [[UNICODE-SECURITY]] and - [[[RFC3987]]] [[RFC3987]] Section 8. -
- +
See .
Interoperability considerations:
There are no known interoperability issues.
Published specification:
From b6160deab74717698a9924ac2646bea184d10870 Mon Sep 17 00:00:00 2001 From: Gregg Kellogg Date: Tue, 21 Feb 2023 11:43:16 -0800 Subject: [PATCH 2/4] Update spec/index.html Co-authored-by: Ted Thibodeau Jr --- spec/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/index.html b/spec/index.html index 56d0909..d15293a 100644 --- a/spec/index.html +++ b/spec/index.html @@ -538,7 +538,7 @@

Changes between RDF 1.1 and RDF 1.2

better mirroring [[RDF12-TURTLE]].
  • Updated the PN_CHARS_U grammar production to be consisten with with Turtle.
    • -
  • Separate from +
  • Separated from and update language.
    • From 6ff8e5158480a98d17df21346862c588c23c1d50 Mon Sep 17 00:00:00 2001 From: Gregg Kellogg Date: Tue, 21 Feb 2023 13:37:04 -0800 Subject: [PATCH 3/4] Update spec/index.html Co-authored-by: Ted Thibodeau Jr --- spec/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/index.html b/spec/index.html index d15293a..c4e3a05 100644 --- a/spec/index.html +++ b/spec/index.html @@ -539,7 +539,7 @@

    Changes between RDF 1.1 and RDF 1.2

  • Updated the PN_CHARS_U grammar production to be consisten with with Turtle.
  • Separated from - and update language.
    • + and updated language. From 47e6c099efd161da676b7f8db1811d7db84dc8a9 Mon Sep 17 00:00:00 2001 From: Gregg Kellogg Date: Mon, 13 Mar 2023 22:09:27 -0700 Subject: [PATCH 4/4] Update spec/index.html Co-authored-by: Ted Thibodeau Jr --- spec/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/index.html b/spec/index.html index c4e3a05..dab37e7 100644 --- a/spec/index.html +++ b/spec/index.html @@ -336,7 +336,7 @@

    Security Considerations

    Any person or application that is writing or interpreting data in N-Quads must take care to use the IRI that matches the intended semantics, and avoid IRIs that may look similar. - Further information about matching of similar characters can be found + Further information about matching visually similar characters can be found in [[[UNICODE-SECURITY]]] [[UNICODE-SECURITY]] and [[[RFC3987]]] [[RFC3987]] Section 8.