[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Excellent IETF BCP on XML

• To: "Bullard, Claude L (Len)" <clbullar@i...>
• Subject: Re: Excellent IETF BCP on XML
• From: Tim Bray <tbray@t...>
• Date: Fri, 22 Nov 2002 16:23:47 -0800
• Cc: 'Miles Sabin' <miles@m...>,XML Dev <xml-dev@l...>
• In-reply-to: <15725CF6AFE2F34DB8A5B4770B7334EE0DF8DE@h...>
• References: <15725CF6AFE2F34DB8A5B4770B7334EE0DF8DE@h...>
• User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.2b) Gecko/20021016

Bullard, Claude L (Len) wrote:

> Tim Bray assured us on the www-tag list that
> the namespace UR:/URI in no way is a security issue
> and cited his experience with security agencies
> of the US Government.   I gotta believe they
> thought about this.  In effect, the protocol
> designer has to specify what is to be done
> via automagic dereferencing as URIs are always
> dereferenceable.

I don't believe this for a second and hope I didn't say that.  Should 
something like RDDL take off it would provide a convient place for 
black-hats to point to subversive code that does nasty stuff.

Note that dereferencing a URI via GET is in principle and as far as I 
can tell in practice safe, assuming you protect against infinitely-large 
resource representations.  Acting on the data you get carries risk that 
is in principle and in practice unbounded and requires all sorts of 
trust infrastructure -Tim

• Follow-Ups:
  • Re: Excellent IETF BCP on XML
    • From: Eric Bohlman <ebohlman@e...>
  • Re: Excellent IETF BCP on XML
    • From: Miles Sabin <miles@m...>

• References:
  • RE: Excellent IETF BCP on XML
    • From: "Bullard, Claude L (Len)" <clbullar@i...>

• Prev by Date: Re: XHTML and OpenOffice
• Next by Date: Web Services -- The City of Jericho?
• Previous by thread: Re: Excellent IETF BCP on XML
• Next by thread: Re: Excellent IETF BCP on XML
• Index(es):
  • Date
  • Thread