Re: rfc2518bis DAV DTD (was Re: How to use DTDs, or not ...) from Stanley Guan on 2003-10-15 (w3c-dist-auth@w3.org from October to December 2003)

From: Stanley Guan <stanley.guan@oracle.com>
Date: Wed, 15 Oct 2003 09:51:35 -0700
To: <w3c-dist-auth@w3.org>
Message-ID: <0bea01c3933c$985c1c00$c5b42382@us.oracle.com>
Julian,

Thank you for your comments.

Personally I'm working on the implementation of XML Schema. So, I'm
talking more from the XML Schema perspective.  Sorry for the bias. See
my response below.

-Stanley

----- Original Message -----
From: "Julian Reschke" <julian.reschke@gmx.de>
To: "Stanley Guan" <stanley.guan@oracle.com>; <w3c-dist-auth@w3.org>
Sent: Wednesday, October 15, 2003 1:42 AM
Subject: RE: rfc2518bis DAV DTD (was Re: How to use DTDs, or not ...)


> > From: w3c-dist-auth-request@w3.org
> > [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Stanley Guan
> > Sent: Tuesday, October 14, 2003 10:24 PM
> > To: w3c-dist-auth@w3.org
> > Subject: Re: rfc2518bis DAV DTD (was Re: How to use DTDs, or not ...)
> >
> >
> >
> > Hi,
> >
> > I'm new on this mailing list.  So, forgive me if my questions were
> > brought up before.
>
> Sure.
>
> > For security consideration, external XML entities are considered
> > vulnerable to denial of service attack. So, I agree that WebDAV
> > messages MUST not be validated using DTDs.  Or it can be
> > optional, if an implementation opt to do that.
>
> I think we need to be precise here. As far as I understand, the XML
> recommendation does only define one very specific form of validation, and
it
> is based on the document/message declaring it's document type.
>
> Exactly this kind of validation is completely useless in XML based
> protocols: it's completely irrelevant whether a document conforms to a DTD
> that the *sender* provides. It would be only interesting to validate
against
> the DTD expected by the *recipient*. Doing the latter of course is
> completely up to the recipient -- however it must be aware of the fact
that
> the DTD (fragments) in RFC2518 and related specs only describe part of the
> constraints, and that a recipient MUST accept way more message variations
as
> the DTDs (per XML rec) allow.

Yes, it matters only on how recipients use the DTD, or possible other
schemas,
to validate the message.  RFC 2518 didn't dictate whether the recipient
should
use DTD, XML Schema, or Relax NG to validate the XML message.  Right?

>
> > Anyone else have ever thought of using XML Schema, instead of
> > DTD, to validate WebDAV messages?  Any security concerns?
>
> If the schema or the reference to the schema is provided by the sender of
> the message, I think the same concerns apply. If the schema is hardwired
> into the recipient, none apply.

If the schema is provided by the sender, say using SchemaLocation, it should
be ignored by the recipient from the same security consideration.  XML
Schema
spec says SchemaLocation only provides a hint, an implementation can
rightfully ignore the information provided by the sender.

In this case, I was thinking of hardwiring the schema to the recipient.

>
> On the other hand, I don't see any big advantage in using XML Schema as
> replacement in WebDAV specs. It only solves one particular problem (DTDs
> ignorance of namespaces), but is a lot harder to read. If we really decide
> not to use DTD syntax anymore, we should consider a schema language that
can
> *really* express the DAV extensibility rules, and that's easy to read by
the
> (human) readers of the spec. As far as I understand, Relax NG (compact
> syntax) would qualify.

I'm not a big fan of XML Schema either.  But, I think XML Schema WG is
trying hard to correct some of the problems in its original design.
However,
managing namespaces is a big concern.  Current approach for new extensions
is just extending DAV: namespace.  This introduces a versioning control
issue.

Currently, DAV extensions are using XML structures in a limited way.
To handle these structures, I think, XML Schema can provide good
support for its constraint specification and address extensibility by using
its "extension" or similar mechanisms.  What I'm trying to say here is:
TRUE, the whole XML Schema spec. is hard to read; but, if you carefully
enough to use a subset of its features, it's still a good tool for message
validation.

Lastly, XML Schema has been widely supported by most software
vendors.

>
> You may also want to check out RFC3470 ("Guidelines for the Use of
> Extensible Markup Language (XML) within IETF Protocols", section 4.7.
>

Sure!

> > Will appreciate your inputs!
>
> Regards, Julian
>
> --
> <green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760
>
>
Received on Wednesday, 15 October 2003 12:52:30 UTC