XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Excellent IETF BCP on XML

  • To: 'Tim Bray' <tbray@t...>
  • Subject: RE: Excellent IETF BCP on XML
  • From: "Bullard, Claude L (Len)" <clbullar@i...>
  • Date: Mon, 25 Nov 2002 15:10:34 -0600
  • Cc: XML Dev <xml-dev@l...>
bcp for xml explicit
Play the video
I must have overestimated this reply:

Re: TB16 Re: Comments on arch doc draft  
Author: Tim Bray <tbray@t...>, 
Date: Tue, 02 Jul 2002 14:47:55 -0700 List: Public/www-tag 

I have to hope those that should are thinking 
clearly about the security issues associated 
with the use of URIs as names and their ubiquity 
throughout XML.   We've been around this issue 
many times and the insistence that dereferenceable 
strings be used rather than purposefully non-dereferenceable 
names always outweighs the security concerns.  
Certainly, one pleads for common sense and competence, 
but installations often break jobs and duties up among 
different individuals and groups, and that means 
competence is averaged at best.  In such a situation, guidelines 
must be explicit and the processes for applying them, 
well executed and well checked.

Safe doesn't mean "Secure" and that should be made clear.

len

-----Original Message-----
From: Tim Bray [mailto:tbray@t...]

Bullard, Claude L (Len) wrote:

> Tim Bray assured us on the www-tag list that
> the namespace UR:/URI in no way is a security issue
> and cited his experience with security agencies
> of the US Government.   I gotta believe they
> thought about this.  In effect, the protocol
> designer has to specify what is to be done
> via automagic dereferencing as URIs are always
> dereferenceable.

I don't believe this for a second and hope I didn't say that.  Should 
something like RDDL take off it would provide a convient place for 
black-hats to point to subversive code that does nasty stuff.

Note that dereferencing a URI via GET is in principle and as far as I 
can tell in practice safe, assuming you protect against infinitely-large 
resource representations.  Acting on the data you get carries risk that 
is in principle and in practice unbounded and requires all sorts of 
trust infrastructure -Tim

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.