again, the specs don't have to be public, but the specs should exist and be referenced. we don't want to register types that aren't yet defined. LH> Yes we have mature specs. and part of the purpose of the registration is to inform implementors, and the public, about the risks of using the type. so I don't really like statements of the form "users must determine the risks for themselves" but we don't have a mechanism for denying registrations in vnd.* space. LH> I think that a comment along the lines: "the content type should be discarded by systems which do not know what to do with it. Knowledge about this content type handling can be gained from existing (but currently unpublished specifications). Please check http://nokia.nokia.com for the specs which will be released in the near future" I wish there were some effective way to compel vendors to be responsible regarding the security risks to which they expose their customers. So far, we haven't found one. LH> Bottom line: If you dont know what to do with a content type then you should discard it. Leon.