I hope you understand that there are many facts which determine when vendor related specs get published. In addition there are occasions when the MIME type needs registration prior to public distribution of the specs.
again, the specs don't have to be public, but the specs should exist and be referenced. we don't want to register types that aren't yet defined. and part of the purpose of the registration is to inform implementors, and the public, about the risks of using the type. so I don't really like statements of the form "users must determine the risks for themselves" but we don't have a mechanism for denying registrations in vnd.* space. I wish there were some effective way to compel vendors to be responsible regarding the security risks to which they expose their customers. So far, we haven't found one. Keith