Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: Traffic Analysis and Namespace Dereferencing
 David Megginson wrote, > Miles Sabin writes: > > It's worth bearing in mind that this also applies to the > > dereferencing of DTD external subsets. > > Absolutely correct -- that's why XML documents for production- > side systems should not include DOCTYPE statements. DTDs and > XML Schemas belong mainly on the authoring side (both as > templates for input tools and for debugging). Hmm ... There are already many production-side systems which validate, and I'm sure there'll be many more in the future. Where the input docs can't be assumed up front to be valid and where DTDs/ schemas are cached locally, this doesn't seem like such a crime. Nevertheless, I've run into a surprising (to me) number of people who ought to know better, but who seem to be only very dimly unaware of the comms implications of not caching locally, and I suspect some of them are going to get their fingers burnt ... when their customers complain because they can't run their apps on network disconnected machines, or because they think the app has embedded spyware, etc. etc. ... > > I can't help worrying that unintentional DoS might turn out > > to be a major problem in the not too distant future ... the > > W3C's servers host an awful lot of critical DTDs, and a awful > > lot of generic XML processors don't cache external subsets or > > use caching HTTP proxies by default. So what would happen if > > w3.org collapsed under the strain of a couple of hundred > > thousand XML editors all starting up at once? > > People will find ways to route around the damage. The only > question is whether people will blame bad design practices or > XML itself. Customers blame vendors, and vendors try to pass the buck. I fully expect to see attempts to blame outages on the W3C for having 'irresponsibly' inadequate servers, or on XML itself. But popping the stack a bit ... does this problem (even if it's actually due to poor practice) suggest another angle on related resource discovery? Suppose we took a vaguely DNS-like distributed, replicated, database approach? And suppose we took a few leaves out of DNSSECs book to combat spoofing and information leakage? Cheers, Miles -- Miles Sabin InterX Internet Systems Architect 5/6 Glenthorne Mews +44 (0)20 8817 4030 London, W6 0LJ, England msabin@i... http://www.interx.com/ 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
