Skip to content

mention graph isomorphism in security considerations #259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pchampin wants to merge 1 commit into
base: main
Choose a base branch
from
Open

mention graph isomorphism in security considerations #259

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions spec/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2182,6 +2182,17 @@ <h2>Security Considerations</h2>
in [[[UNICODE-SECURITY]]] [[UNICODE-SECURITY]] and
[[[RFC3987]]] [[RFC3987]] Section 8.</p>

<p>
<a href="#graph-isomorphism">Comparing</a> graphs,
<a href="https://www.w3.org/TR/sparql12-query/">querying</a> them,
Copy link
Contributor

@afs afs Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to mention that queries can be expensive but there are lots of ways to have expensive queries; better to say they can be expensive and not to focus on a specific situation.

Copy link
Contributor Author

@pchampin pchampin Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This paragraph is not about querying in general, it is about graph isomorphism.

Of course, other factors can make querying complex (or reasoning, for that matter), but then those would be in scope for the corresponding spec (SPARQL-QUERY or RDF-SEMANTICS).

I don't think that the current wording implies that graph isomorphism is the only source of complexity for these tasks.

Copy link
Contributor

@afs afs Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(graphs...) querying them, ... often relies on computing (sub)graph isomorphism

that text groups query with sub-graph isomorphism.

Isomorphism isn't even mentioned in SPARQL query.

Copy link
Contributor

@afs afs Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<a href="https://www.w3.org/TR/sparql12-query/">querying</a> them,

or <a href="https://www.w3.org/TR/rdf12-semantics/#simple_entailment_properties">reasoning</a> with them,
often relies on computing <em>(sub)graph isomorphism</em>,
which is known to be computationally complex in the worst case.
Copy link
Contributor

@afs afs Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
which is known to be computationally complex in the worst case.
which is known to be computationally complex in the worst case.
<a href="https://www.w3.org/TR/sparql12-query/">Querying</a> graphs can also involve computationally complex operations.

This means that malicious graphs can be constructed to cause RDF implementations to stall or run out of memory.
Implementations processing graphs from untrusted sources are expected to provide mitigations;
examples are given in the section on <a data-cite="RDF-CANON#dataset-poisoning">Dataset Poisoning</a> in [[RDF-CANON]].
</p>

<p class="note">These considerations are a more generic form
of Security Considerations for [[RDF12-TURTLE]], [[RDF12-TRIG]], [[RDF12-N-TRIPLES]],
and [[RDF12-N-QUADS]].</p>
Expand Down
Loading