Difference between revisions of "X3D MIME-Type"

From Web3D.org
Jump to: navigation, search
(6. Security considerations:: - Very eaqrly draft text)
(6. Security considerations:: - restructure)
Line 87: Line 87:
  
 
''Editors note: The following draft contains most of the relevant references and issues that we could find.  This section needs to be rewritten to address the questions and statements in [http://tools.ietf.org/html/rfc4288#section-4.6 RFC 4288, Media Type Specifications and Registration Procedures (Security Requirements)]. Specifically we need to address/state response for ''
 
''Editors note: The following draft contains most of the relevant references and issues that we could find.  This section needs to be rewritten to address the questions and statements in [http://tools.ietf.org/html/rfc4288#section-4.6 RFC 4288, Media Type Specifications and Registration Procedures (Security Requirements)]. Specifically we need to address/state response for ''
* Complex media types
+
* '''Complex media types''': There are no X3D directives that access local resources except those related to the graphical display of content and the necessary system resources to make that happen. The X3D specification does allow for scripts to execute a variety of actions including changing the URL and accessing local resources. Any implementations that execute scripts MUST give consideration to their application's threat models and those of the individual features they implement; in particular, they MUST ensure that untrusted content is not executed in an unprotected environment.
* Active content
+
* Release of information
+
* Decompression issues
+
* External security considerations
+
  
Scripting is defined as being available for the specification. Two languages are defined: Java and ECMAScript. Each scripting language is controlled by its local security model. As the content may run in many different situations, the X3D specification does not impose specific security policies. For example, some standalone applications will want to directly interact with the local file system, network or database, while others that run in a web browser would use the web-browser's security model.
+
* '''Active content''': We are interpeting active content to mean any and all content that is not static and unchanging while the designated URL is displayed.
 +
The intent of X3D is to provide active content to the user. This requires system resources in the form of memory, CPU processing, and graphics processing. Users of X3D desire active and are aware of the system demands.
  
X3D security considerations are a close match to HTML. Javascript or Java scripts may be linked internal to an X3D scene, or external to an X3D scene by an encapsulating HTML browser. Relevant references follow.
+
* '''Release of information''': The X3D specification does not require any information be sent from the user's computer. A particular implementation may request information and distribute it. It is up to the implementor and user to negotiate the terms of service for that particular application.
  
Complex Media Types:
+
* '''Decompression issues''': <Don should discuss this...>
There are no X3D directives that access local resources except those related to the graphical display of content and the necessary system resources to make that happen. The X3D specification does allow for scripts to execute a variety of actions including changing the URL and accessing local resources. Any implementations that execute scripts MUST give consideration to their application's threat models and those of the individual features they implement; in particular, they MUST ensure that untrusted content is not executed in an unprotected environment.
+
  
Active Content:
+
* '''External security considerations''': There is nothing in the X3D specification that requires or prevents secruity assurances. A particular implementation may request information and distribute it. It is up to the implementor and user to negotiate the terms of service for that particular application.
We are interperting active content to mean any and all content that is not static and unchanging while the designated URL is displayed.
+
The intent of X3D is to provide active content to the user. This requires system resources in the form of memory, CPU processing, and graphics processing. Users of X3D desire active and are aware of the system demands.
+
  
Disclosure of Information:
+
Scripting is defined as being available for the specification. Two languages are defined: Java and ECMAScript. Each scripting language is controlled by its local security model. As the content may run in many different situations, the X3D specification does not impose specific security policies. For example, some standalone applications will want to directly interact with the local file system, network or database, while others that run in a web browser would use the web-browser's security model.
The X3D specification does not require any information be sent from the user's computer. A particular implementation may request information and distribute it. It is up to the implementor and user to negotiate the terms of service for that particular application.
+
 
+
Compression:
+
<Don should discuss this...>
+
 
+
External Security:
+
There is nothing in the X3D specification that requires or prevents secruity assurances. A particular implementation may request information and distribute it. It is up to the implementor and user to negotiate the terms of service for that particular application.
+
  
 +
X3D security considerations are a close match to HTML. Javascript or Java scripts may be linked internal to an X3D scene, or external to an X3D scene by an encapsulating HTML browser. Relevant references follow.
  
 
* [http://tools.ietf.org/html/rfc2854#section-7 HTML Mime Type Security Considerations]
 
* [http://tools.ietf.org/html/rfc2854#section-7 HTML Mime Type Security Considerations]

Revision as of 08:28, 13 June 2012

The X3D Working Group is preparing a formal submission to the Internet Engineering Task Force (IETF) to support X3D Mime Types.

Current work to gain final MIME-type approval

In 1997 the Internet Engineering Task Force (IETF) approved IETF RFC 2077 for the Model MIME type. This supports VRML and establishes a MIME basis for other 3D model formats. However, the IETF has not yet approved X3D as an official MIME type, primarily due our incomplete prior efforts which did not submit a formal final application. This page is where we are building that formal application for official status of the X3D MIME-Type.

The current round of work started in 2008 with an initial application submission late that year. Review comments were received from IETF MIME-Type task force, reconciled and incorporated back into the application in February 2009. This effort was reported and collected as Registration of media type model/x3d+XXX.

The updated document appears below. All edits need to be done in conformance with the current application standard. When completed, the application needs to be sent to 'ietf-types@iana.org' with the subject line "Registration of media type model/x3d+XXX" included.

References

Work list

  • Ensure that the application is fully complete
    • Confirm correct use of conjunction with sub-type (+xml, -vrml)
    • Revise Section 5, Encoding considerations to update the binary encoding to current state
    • Develop Section 6, Security Considerations
    • Update Section 9, Applications that use this media type
    • Update Section 10, Additional information
    • Update Section 11, Intended Usage
    • Update all X3D specification references to the latest version and description
    • Resolve all TODO items
  • Perform public review on x3d-public@web3d.org mailing list
  • Gain approval of X3D Working Group and concurrence of Web3D Board of Directors

Submission steps

  • Review the IETF MIME Type Submission references
  • Finalize application details that follow
  • Submit to IETF and follow up on any resulting actions or approvals

Our goal is make this submission during May 2012.


Registration application for X3D MIME type (draft)

Editors note: XML, ClassicVRML, and Binary responses merged together. In the end, three separate applications will need to be created. See RFC 3023, XML Media Types for requirements specific to XML media types.

1. Media Type Name:

Model

2. Subtype names:

Standards Tree

  • x3d+xml
  • x3d-vrml
  • x3d+fastinfoset

3. Required parameters:

None

4. Optional parameters:

None

5. Encoding considerations:

This application represents the different MIME types used for three different encodings of the X3D ISO standard (see [1]). The standard defines an abstract information structural representation, for which several file formats are available. These formats are currently defined to be:

  • XML: '8-bit text'
  • ClassicVRML: '8-bit text'
  • Compressed Binary: 'binary'

6. Security considerations:

Editors note: The following draft contains most of the relevant references and issues that we could find. This section needs to be rewritten to address the questions and statements in RFC 4288, Media Type Specifications and Registration Procedures (Security Requirements). Specifically we need to address/state response for

  • Complex media types: There are no X3D directives that access local resources except those related to the graphical display of content and the necessary system resources to make that happen. The X3D specification does allow for scripts to execute a variety of actions including changing the URL and accessing local resources. Any implementations that execute scripts MUST give consideration to their application's threat models and those of the individual features they implement; in particular, they MUST ensure that untrusted content is not executed in an unprotected environment.
  • Active content: We are interpeting active content to mean any and all content that is not static and unchanging while the designated URL is displayed.

The intent of X3D is to provide active content to the user. This requires system resources in the form of memory, CPU processing, and graphics processing. Users of X3D desire active and are aware of the system demands.

  • Release of information: The X3D specification does not require any information be sent from the user's computer. A particular implementation may request information and distribute it. It is up to the implementor and user to negotiate the terms of service for that particular application.
  • Decompression issues: <Don should discuss this...>
  • External security considerations: There is nothing in the X3D specification that requires or prevents secruity assurances. A particular implementation may request information and distribute it. It is up to the implementor and user to negotiate the terms of service for that particular application.

Scripting is defined as being available for the specification. Two languages are defined: Java and ECMAScript. Each scripting language is controlled by its local security model. As the content may run in many different situations, the X3D specification does not impose specific security policies. For example, some standalone applications will want to directly interact with the local file system, network or database, while others that run in a web browser would use the web-browser's security model.

X3D security considerations are a close match to HTML. Javascript or Java scripts may be linked internal to an X3D scene, or external to an X3D scene by an encapsulating HTML browser. Relevant references follow.

  • HTML Mime Type Security Considerations
    • Excerpt: In addition, the introduction of scripting languages and interactive capabilities in HTML 4.0 introduced a number of security risks associated with the automatic execution of programs written by the sender but interpreted by the recipient. User agents executing such scripts or programs must be extremely careful to insure that untrusted software is executed in a protected environment.
  • HTML4 Recommendation, B.10 Notes on security
    • Excerpt: Anchors, embedded images, and all other elements that contain URIs as parameters may cause the URI to be dereferenced in response to user input. In this case, the security issues of [RFC1738], section 6, should be considered. The widely deployed methods for submitting form requests -- HTTP and SMTP -- provide little assurance of confidentiality. Information providers who request sensitive information via forms -- especially with the INPUT element, type="password" -- should be aware and make their users aware of the lack of confidentiality.
  • HTML5 security references
    • Most (perhaps all) of the details regarding specific HTML5 elements seem to be not applicable to X3D mime types
    • Is there a reference yet for HTML5 mime type?
  • W3C Working Draft HTML5 differences from HTML4
    • Section 2 Syntax includes some media type (i.e. MIME type) details. Interestingly it refers to multiple media types, providing both text/html and application/xml examples.
    • Perhaps we should discuss both model/x3d and application/xml examples.
    • Interesting point, possibly relevant to X3D: Some MIME types (e.g. text/plain) that are guaranteed to never be supported as scripting types for script were specified, so authors can safely use them for custom data blocks.

7. Interoperability considerations:

The definition of the file format is maintained by the Web3d Consortium and published through the ISO process. Several revisions of the specification have been made and it continues to be made. All revisions use the same MIME type definitions, and are backwards compatible internally and structurally. In addition, each of the file format encodings may be losslessly transformed between each other.

There are no known interoperability issues. There are existing applications that run on PC, Macintosh, and Unix/Linux systems that work with the file format. The Web3D Consortium makes an effort to keep the file format interoperable across all platforms.

8. Published specification:

See RFC 4288, Media Type Specifications and Registration Procedures (Publication Requirements) for detailed instructions. All revisions of the X3D specification is maintained online at http://www.web3d.org/realtime-3d/specification/all The most recent specification is available from the ISO website (for a fee) or from Web3D Consortium

9. Applications that use this media type:

The applications that use (or would use) the

  • model/x3d+xml
  • model/x3d-vrml
  • model/x3d+fastinfoset

media type are those that display, create, edit, import, or export 3D model content using the X3D standard. A short list of the applications include:

  • BS Contact (from Bitmanagement, runs on Windows, Macintosh, Linux)
  • Instant Reality (Fraunhofer, runs on Windows, Macintosh, Linux)
  • X3DOM (Open source, runs on Windows, Macintosh, Linux, iPad)
  • Xj3D (Open source from Web3D Consortium, Java based)
  • FreeWRL (Open source, runs on Windows, Macintosh, Linux)
  • X3D-Edit and X3D Validator (from Naval Postgraduate School, Java based)
  • Blender (Open source, runs on Windows, Macintosh, Linux)
  • Octaga VS Player (from Octaga VS, runs on Windows)
  • Rawkee (Open source Maya exporter, runs in Maya)
  • See web3d.org/... for additional items
  • TODO

10. Additional information:

  • XML Encoding
    • Magic number(s): Use XML's specification
    • File extension: '.x3d'
    • Macintosh File Type Code(s): TODO
    • Object Identifier(s): TODO
  • ClassicVRML Encoding
    • Magic number(s): #X3D
    • File extension: '.x3dv'
    • Macintosh File Type Code(s): TODO
    • Object Identifier(s): TODO
  • Compressed Binary Encoding
    • Magic number(s): TODO
    • File extension: '.x3db'
    • Macintosh File Type Code(s): TODO
    • Object Identifier(s): TODO

11. Intended usage:

COMMON

12. Other Information/GeneralComment:

Editors note: It is not clear what should (or needs) to go in this section. The text below is what was previously here.

The X3D standard is a continuation of the VRML standard that is defined in RFC2077. As part of this work, several large modifications were made to the file format and specification. The basic premise for the specification continues the VRML design rational. The MIME types and file extensions were changed to indicate this modified standard.

  1. Content Sub-types

Each content type may have an additional Content-Encoding to indicate whether the content has been compressed using GZIP in addition to the basic textual encoding. This is also indicated by modifying each file extension with the character "z". For example, the plaintext VRML-encoded file format would use the extension ".x3dv", and if compressed using GZIP uses the extension ".x3dvz"

13. Person to contact for further information:

  • Name: Leonard Daly (X3D Working Group Co-Chair)
  • E-mail: <use appropriate alias>
  • Author / Change controller: The Web3D Consortium