W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: [Bug 11] Protection against XML Denial Of Service attacks

From: Lisa Dusseault <lisa@osafoundation.org>
Date: Thu, 1 Dec 2005 10:58:04 -0800
Message-Id: <be45c019ace1809cc42df65b5a096944@osafoundation.org>
Cc: w3c-dist-auth@w3.org
To: Julian Reschke <julian.reschke@gmx.de>

Sorry about that -- I'll blame both a brain fart and I lost access to  
bugzilla immediately after I entered this so I couldn't change it.  I  
do see how a 4xx error is better because the same request won't succeed  
later.  Which 4xx response though?

Lisa

On Dec 1, 2005, at 9:25 AM, Julian Reschke wrote:

> bugzilla@soe.ucsc.edu wrote:
>> http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=11
>> lisa@osafoundation.org changed:
>>            What    |Removed                     |Added
>> ---------------------------------------------------------------------- 
>> ------
>>          AssignedTo|lisa@osafoundation.org       
>> |julian.reschke@greenbytes.de
>>              Status|ASSIGNED                    |NEW
>> ------- Additional Comments From lisa@osafoundation.org  2005-11-30  
>> 14:42 -------
>> I didn't understand the part about removing the section on 503 --  
>> what's wrong
>> with it?  The part about XML entities I've fixed.
>
> We discussed this during the conference call: 5xx is a server error,  
> in particular 503 means "not now but maybe later". If a server detects  
> a DOS attack, that's the last thing it would want to tell the client.
>
> Servers are free to do whatever they want should they detect a DOS  
> attack. If they want to be friendly, a 4xx with explanation would be  
> right.
>
> Best regards, Julian
Received on Thursday, 1 December 2005 18:58:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT