[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Excellent IETF BCP on XML

• To: 'Miles Sabin' <miles@m...>, XML Dev <xml-dev@l...>
• Subject: RE: Excellent IETF BCP on XML
• From: "Bullard, Claude L (Len)" <clbullar@i...>
• Date: Fri, 22 Nov 2002 15:39:53 -0600

Yes, I have but I may be missing your point. 
We've known about external entity retrieval 
problems since the SGML days.  They were a 
nuisance more than a threat then.   Somewhere way 
back when, this issue was brought up by 
Newcomb, myself, et al at the dawn of the 
webUberAlles era.   It is pretty obvious to 
anyone that thinks about linking.  Remember, 
the concept of linkbases is really really old. 
The wrinkle never seen before was using them 
for names too.  In olden times, one could 
use a PUBLIC name and it would be non-dereferenceable 
by design rather than by fiat.

I am simply wondering how many other ways it can 
be exploited using the network if the AnythingImportantIsURINamed 
and Smart People Prepend HTTP philosophy is 
followed without understanding that these things 
are always/whereevertheyarefound dereferenceable.

len

-----Original Message-----
From: Miles Sabin [mailto:miles@m...

Bullard, Claude L (Len) wrote,
> Yep.  However, since packets are sniffable?

Umm ... you've not been paying attention, have you ;-)

Other than the stuff David mentioned, the external entity attacks I 
disussed here,

• Follow-Ups:
  • Re: Excellent IETF BCP on XML
    • From: Miles Sabin <miles@m...>

• Prev by Date: Re: Excellent IETF BCP on XML
• Next by Date: Re: What are the arguments *for* XHTML 2.0?
• Previous by thread: Re: Excellent IETF BCP on XML
• Next by thread: Re: Excellent IETF BCP on XML
• Index(es):
  • Date
  • Thread