rity
   mechanism that encrypts or signs an Ogg bitstream and thus provides
   content confidentiality and authenticity.

   As Ogg encapsulates binary data, it is possible to include executable
   content in an Ogg bitstream.  Implementations SHOULD NOT execute such
   content without prior validation of its origin by the end-user.

   Issues may arise on applications that use Ogg for streaming or file
   transfer in a networking scenario.  In such cases, implementations
   decoding Ogg and its encapsulated bitstreams have to ensure correct
   handling of manipulated bitstreams, of buffer overflows, and similar
   issues.

   It is also possible to author malicious Ogg bitstreams, which attempt
   to call for an excessively large picture size, high sampling-rate
   audio, etc.  Implementations SHOULD protect themselves against this
   kind of attack.

   Ogg has an extensible structure, so that it is theoretically possible
   that metadata fields or media formats might be defined in the future
   which might be used to induce particular actions on the part of the
   recipient, thus presenting additional security risks.  However, this
   type of capability is currently not supported in the referenced
   specification.

   Implementations may fail to implement a specific security model or
   other means to prevent possibly dangerous operations.  Such failure
   might possibly be exploited to gain unauthorized access to a system
   or sensitive information; such failure constitutes an unknown factor
   and is thus considered out of the scope of this document.







Goncalves, et al.           Standards Track                     [Page 6]