Last Call Review of draft-ietf-mediaman-toplevel-03
review-ietf-mediaman-toplevel-03-secdir-lc-perlman-2023-10-19-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.



I would classify this document as "no issues".



In the list of MIME types (which we're now supposed to call "Media Types"
to reflect the fact that they are not just for email anymore), there are
hierarchical names for the various types including things like
"application/pkix-cert" or "image/bmp". There are thousands of IANA
registered types like this under a handful of top level types:



application/

audio/

font/

image/

message/

model/

multipart/

text/

video/



This document describes under what circumstances one would want to create a
new top level media type (as opposed to a new subtype under one of the
existing types). This document does not make it unambiguous as to what the
best approach is, and there is already a description in RFC 6838 which
seems adequate to me. It's not clear what the motivation for creating this
document now is, but as I said it is "mostly harmless".


It says under security considerations that it's up to the new type
specification to say what the security implications are for that type,
which seems about right to me.

Radia