From 52c7502928d1c6c88312df257f5c2cd284ed0791 Mon Sep 17 00:00:00 2001 From: Frank Kilcommins Date: Tue, 28 Nov 2023 20:50:20 +0000 Subject: [PATCH] chore: Add security and IANA considerations --- versions/1.0.0.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/versions/1.0.0.md b/versions/1.0.0.md index 601517b..b839421 100644 --- a/versions/1.0.0.md +++ b/versions/1.0.0.md @@ -747,6 +747,73 @@ Field Pattern | Type | Description The extensions may or may not be supported by the available tooling, but those may be extended as well to add requested support (if tools are internal or open-sourced). +## Security Considerations + +The Workflows Specification does not enforce a security mechanism. Security is left to the implementer, though TLS, specifically HTTPS may be recommended for exchanging sensitive workflows. + +Workflows can be JSON or YAML values. As such, all security considerations defined in [RFC 8259](https://www.rfc-editor.org/info/rfc8259) and within YAML version [1.2](https://yaml.org/spec/1.2/spec.html) apply. + +Workflows are frequently written by untrusted third parties, to be deployed on public Internet servers. Processing a workflow description can cause both safe and unsafe operations to be performed on arbitrary network resources. It is the responsibility of the description consumer to ensure that the operations performed are not harmful. + +## IANA Considerations + +The proposed MIME media types for Workflows are described below. + +### application/vnd.oai.workflows + +The default (or general) MIME type for Workflows is defined as follows: + +  Media type name: application + +  Media subtype name: vnd.oai.workflows + +  Required parameters: N/A + +  Optional parameters: version (e.g. version=1.0.0 to indicate that the type of workflow conforms to version 1.0.0 of the Workflows Specification). + +  Encoding considerations: Encoding considerations are identical to those specified for the `application/json` and `application/yaml` media types, respectively. + +  Security considerations: See [security considerations](#security-considerations) above. + +  Interoperability considerations: N/A + +**Note:** When using the `application/vnd.oai.workflows` media type the consumer should be prepared to receive YAML formatted content + +### application/vnd.oai.workflows+json + +The proposed MIME media type for Workflows that require a JSON-specific media type is defined as follows: + +  Media type name: application + +  Media subtype name: vnd.oai.workflows+json + +  Required parameters: N/A + +  Optional parameters: version (e.g. version=1.0.0 to indicate that the type of workflow conforms to version 1.0.0 of the Workflows Specification). + +  Encoding considerations: Encoding considerations are identical to those specified for the `application/json` media type. + +  Security considerations: See [security considerations](#security-considerations) above. + +  Interoperability considerations: N/A + +### application/vnd.oai.workflows+yaml + +The proposed MIME media type for Workflows that require a YAML-specific media type is defined as follows: + +  Media type name: application + +  Media subtype name: vnd.oai.workflows+yaml + +  Required parameters: N/A + +  Optional parameters: version (e.g. version=1.0.0 to indicate that the type of workflow conforms to version 1.0.0 of the Workflows Specification). + +  Encoding considerations: Encoding considerations are identical to those specified for the `application/yaml` media type. + +  Security considerations: See [security considerations](#security-considerations) above. + +  Interoperability considerations: N/A ## Appendix A: Revision History