- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 02 Sep 2004 11:49:09 +0100
- To: Shivaram Mysore <shivarammysore@yahoo.com>
- Cc: www-xkms@w3.org
Shivaram, Like you, I dislike the "unbounded" stuff. However, I'm not that sure that simply punting to wsdl is entirely right here, for the following reasons: - Does wsdl define the error handling for such cases? If not then we'll have to. - The way that schemas (incl. ours) tend to work is that you don't know you're going to hit the limit in advance, that is, there's no "numberOfChildren" attribute in a parent element, so it'd probably be v. hard for anything but an xkms "layer" to detect that there are too many elements (and we've a lot of occurrences of "unbounded" in the schema). - People who are coding using xml libraries of various sorts may inherit either limitations or else the inability to enforce limits, either way there might be an issue. - Given that "unbounded" is IMO effectively a DoS vulnerability, there are (system, not crypto) security reasons for us to think about this ourselves, e.g. an open responder could be pelted with huge register requests. - Lastly, I don't know what the coders we've got have done. So I'd suggest a bit more thought on this before we figure out what (if any!) fixes/clarifications etc. starting with the coders telling us what their code does, specifically: - Are all occurrences of "unbounded" handled the same? - Does you code have any configured/hard-coded limits on any of these, and if so, would you like to tell us more? - Is it easy or hard for your code (or some other "layer") to enforce any limit? - How'd your code react to crazy xkms messages with millions of elements? - Your fav. suggestion for handling this? Stephen. Shivaram Mysore wrote: > I have updated the spec on my side to make these changes: > > 1. Issue TBD: Fixed Para 86 - inserted "A collection of d" in the > OpaqueClientData [Optional] section > 2. Issue TBD: Fixed Para 94: inserted ", including its children," to > clarify further > > I felt that the fix to para 94 was not necessary, but, as it is > confusing to a few folks, it does not hurt to add the phrase. > > One other item that I am thinking of adding to the specification is: > > "For elements that have maxOccurs="unbounded", implementations can > define WSDLs for that kind of a service which restrict the maxOccurs > value to a finite value." > > By doing this, we can keep the schema intact and the implementations can > scale. > > > > /Shivaram > > */tommy lindberg <lindberg_tommy@hotmail.com>/* wrote: > > > > Hi Stephen - > > >(unless you want to suggest clearer text that'd help the next > developer not > >miss this) > > It may be somewhat clearer (and consistent with the rest of the > spec) if > 'Section > 3.1.4 Element ' also mentioned its child element > stating that > there is a 1-many relationship between the two. > > Something like: > > [94]The element contains data specified by the client > that is opaque > to the service. has the following element > > [1..AnyNumber] > Data specified by the client that is opaque to the service. > > An XKMS service SHOULD return the element specified in > a request, including > its children, unmodified in the corresponding response. > > The following adjustment to '3.1.1 Type MessageAbstractType' may al > so be > useful: > > [Optional] > A collection of data specified by the client that is opaque to the > service. > An XKMS service SHOULD return the content of the > element unmodified > in a response with status code Success. > > Regards > Tommy > > >From: Stephen Farrell > >To: tommy lindberg > >CC: alvarorg@cs.tcd.ie, www-xkms@w3.org > >Subject: Re: Opaque (Client) Data > >Date: Wed, 01 Sep 2004 12:51:54 +0100 > > > > > > > >Hi Tommy, > > > >Fine by me. > > > >So assuming no objections when those on the wrong^h^h^h^h^hother side > >of the Atlantic and elsewhere wake up, there's nothing to do and no > >need to open an issue (unless you want to suggest clearer text that'd > >help the next developer not miss this). > > > >Cheers, > >Stephen. > > > >tommy lindberg wrote: > > > >> > >>I'd favor leaving the schema as is in this respect. I have fixed > my code > >>to handle the multiplicity correctly; not yet deployed. > >> > >>Regards, > >>Tommy > >> > >>>From: Stephen Farrell > >>>To: Guillermo Álvaro Rey > >>>CC: www-xkms@w3.org > >>>Subject: Re: Opaque (Client) Data > >>>Date: Wed, 01 Sep 2004 12:06:19 +0100 > >>> > >>> > >>> > >>>I could live with either interpretation, but slightly prefer > >>>to allow >1 because: > >>> > >>>- its the current schema > >>>- I think it might be easier for a client who's using field > >>> to be able to easily add/find values (though this is a bit > >>> tenuous, I admit) > >>> > >>>But I'm happy to change the schema if coders prefer to only > >>>allow one OpaqueData to be present. > >>> > >>>I doubt that anyone's got a real use for >1 OpaqueData so far, > >>>so this ought to be a safe enough change to make if you guys > >>>want to do it (please yell if this is untrue). > >>> > >>>Cheers, > >>>Stephen. > >>> > >>>Guillermo Álvaro Rey wrote: > >>> > >>>>Hi all, > >>>> > >>>>Following our client-server tests Tommy and myself were > discussing about > >>>>the number of OpaqueData elements that the specification > *intend* to > >>>>allow in an OpaqueClientData element. > >>>> > >>>>It seems that the way the schema currently stands multiple > OpaqueData > >>>>children are allowed for a OpaqueClientData element, > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>, but currently only the first one is handled by Tommy's > implementation > >>>>and so we would like to get confirmation that that's not the > expected > >>>>behaviour. > >>>> > >>>>Cheers, > >>>> > >>>> - -Guillermo > >>>> > >>>> > >>>> > >>> > >> > >>_________________________________________________________________ > >>Tired of spam? Get advanced junk mail protection with MSN 8. > >>http://join.msn.com/?page=features/junkmail > >> > > > > _________________________________________________________________ > Add photos to your e-mail with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail > > > __________________________________________________ > D o You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com >
Received on Thursday, 2 September 2004 10:48:04 UTC