W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

[Bug 11] Protection against XML Denial Of Service attacks

From: <bugzilla@soe.ucsc.edu>
Date: Sun, 4 Dec 2005 01:13:19 -0800
Message-Id: <200512040913.jB49DJPS010738@ietf.cse.ucsc.edu>
To: w3c-dist-auth@w3.org

http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=11

julian.reschke@greenbytes.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|julian.reschke@greenbytes.de|lisa@osafoundation.org
             Status|ASSIGNED                    |NEW



------- Additional Comments From julian.reschke@greenbytes.de  2005-12-04 01:13 -------
We discussed this during the conference call: 5xx is a server error, in 
particular 503 means "not now but maybe later". If a server detects a 
DOS attack, that's the last thing it would want to tell the client.

Servers are free to do whatever they want should they detect a DOS 
attack. If they want to be friendly, a 4xx with explanation would be right.

Please alo note that the current draft is missing one of the changes I made,
namely (at the end of Section 8.1.1):

"Note that processing XML submitted by an untrusted source may cause risks
connected to privacy, security, and service quality (see Section 19). Servers
MAY reject questionable requests (even though they consist of well-formed XML),
for instance with a 400 (Bad Request) status code and an optional response body
explaining the problem."

(<http://greenbytes.de/tech/webdav/draft-reschke-webdav-rfc2518bis-latest.html#rfc.section.8.1.1>)






------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Received on Sunday, 4 December 2005 09:13:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT