Schemas considered dangerous (was Re: Another look at namespaces)

From: David Megginson <david@m...>
To: "XML-DEV" <xml-dev@i...>
Date: Fri, 17 Sep 1999 05:45:07 -0400 (EDT)

Play the video

Tim Berners-Lee writes:

 > Perhaps perception of it is clouded bythe fact that XML 1.0 doesn't
 > mention namespaces at all, and XML NS does not mention schemas at
 > all.  In other words, the specs -- having to only refer backwards
 > in time -- have not been good at pointing to how the future
 > architecure will fit together.

There's also the critically-important point that most programming
languages (such as C++ and Java) do the equivalent of schema
processing at compile time (where it's secure and not time-critical),
while XML processors will have to do it at run time.  That means that
there are a few potentially-nasty problems:

1. The burdon of determining inheritance and class relationships falls 
   on the processor, which has to repeat it for each cycle.

2. Processing time is not predictable, since schemas can reference
   other schemas to an unknown depth.

3. Processing is not secure, since schemas will likely be able to
   refer to schemas at other sites.

For example of the third problem (which is the most serious), let's
imagine that I have the following document:

  <memo xmlns="http://www.megginson.com/ns/memo/">
   <recipient>Tim Berners-Lee</recipient>
   <sender>David Megginson</sender>
   <p>We'll have the new product ready next month: please remember
      that this is confidential.</p>
  </memo>

Now, my 'memo' schema says that it is derived from a 'memo' schema
hosted at the W3C site:

  http://www.megginson.com/ns/memo/ 
    is a kind of 
  http://www.w3.org/schemas/memo#

Assume that the schema at the W3C site has the schema equivalent of
the following DTD construction:

  <!ATTLIST memo
    security-level (public|confidential) "confidential">

That means that, by default, my memo is confidential.  Now, what if
someone cracks the W3C's Web site (not mine), and changes this to the
equivalent of

  <!ATTLIST memo
    security-level (public|confidential) "public">

I write my memo, send it to my document system, and it automatically
displays it on my public Web site.  Ouch!

All the best,

David

-- 
David Megginson                 david@m...
           http://www.megginson.com/

xml-dev: A list for W3C XML Developers. To post, mailto:xml-dev@i...
Archived as: http://www.lists.ic.ac.uk/hypermail/xml-dev/ and on CD-ROM/ISBN 981-02-3594-1
To (un)subscribe, mailto:majordomo@i... the following message;
(un)subscribe xml-dev
To subscribe to the digests, mailto:majordomo@i... the following message;
subscribe xml-dev-digest
List coordinator, Henry Rzepa (mailto:rzepa@i...)

References:
- Re: Another look at namespaces
  - From: "Tim Berners-Lee" <timbl@w...>

Prev by Date: Re: XML in the real world... Was "Re: Another look at namespaces"
Next by Date: Re: XML in the real world... Was "Re: Another look at namespaces"
Previous by thread: Re: Another look at namespaces
Next by thread: Re: Another look at namespaces
Index(es):
- Date
- Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >