W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: [Bug 11] Protection against XML Denial Of Service attacks

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 01 Dec 2005 18:25:42 +0100
Message-ID: <438F3216.8020206@gmx.de>
To: w3c-dist-auth@w3.org
CC: Lisa Dusseault <lisa@osafoundation.org>

bugzilla@soe.ucsc.edu wrote:
> http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=11
> 
> lisa@osafoundation.org changed:
> 
>            What    |Removed                     |Added
> ----------------------------------------------------------------------------
>          AssignedTo|lisa@osafoundation.org      |julian.reschke@greenbytes.de
>              Status|ASSIGNED                    |NEW
> 
> 
> 
> ------- Additional Comments From lisa@osafoundation.org  2005-11-30 14:42 -------
> I didn't understand the part about removing the section on 503 -- what's wrong
> with it?  
> 
> The part about XML entities I've fixed.

We discussed this during the conference call: 5xx is a server error, in 
particular 503 means "not now but maybe later". If a server detects a 
DOS attack, that's the last thing it would want to tell the client.

Servers are free to do whatever they want should they detect a DOS 
attack. If they want to be friendly, a 4xx with explanation would be right.

Best regards, Julian
Received on Thursday, 1 December 2005 17:27:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT