Re: [ga] Re: Proposal: ICANN should cease acceptance of PDF, DOC and other attachments from public comments

[George Kirikos <gkirikos@xxxxxxxxx>]

Hello,

--- On Mon, 1/25/10, Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote:
> There is no vulnerability in PDF, only in *one* specific
> proprietary
> PDF reader. If someones finds a security weakness in
> Windows Notepad, will you ban ASCII?

That "specific proprietary PDF reader" isn't just some random reader with a 
0.1% market share made by someone in their garage --- it's the implementation 
by the entity that *created* the PDF standard, Adobe, and likely has a 95%+ 
market share for PDF readers. I doubt anyone reading ASCII comments in ICANN 
forums is loading them up in Notepad -- they'd be reading them in their web 
browsers or email clients, which are pretty good at handling plain text safely!
 
> > I propose that ICANN cease to accept all public
> comments that are in
> > any format other than ASCII or Unicode text.
> 
> It would be more interesting to have a discussion on the
> acceptable
> formats, specially proprietary vs. "open" (which is not

Even if a standard is "open" (which even Microsoft's is, see: 
http://www.zdnet.com.au/news/software/soa/ECMA-approves-Microsoft-document-format/0,130061733,339272624,00.htm
 ), its complexity can make it an invitation to hackers via imperfect 
implementations of the format in widely used document viewers.

If ICANN is virus-scanning attachments in incoming emails, they would need to 
re-scan all past emails every time their virus database is updated. With ASCII 
or Unicode text formats, there's a very low chance that anything malicious 
would ever get through, assuming that they strip emails of anything bad in HTML 
emails (e.g. stuff like Javascript, ActiveX, Flash, Java, etc.), i.e. only 
allow basic tags, like bold, underline, italics, at best.

Sincerely,

George Kirikos
http://www.leap.com/