W3C home > Mailing lists > Public > xml-dist-app@w3.org > October 2001

Re: Issue 4 Proposed Resolution (was: why no doc type declaration and PIs in SOAP)

From: Rich Salz <rsalz@zolera.com>
Date: Tue, 02 Oct 2001 21:50:33 -0400
Message-ID: <3BBA6EE9.B1A5083C@zolera.com>
To: Bob Hutchison <hutch@xampl.com>
CC: xml dist <xml-dist-app@w3.org>
> So we are talking about accommodating very simple XML processor here. One
> that cannot recognise a DTD or a PI, yet that is smart enough to know how to
> skip over them. Does such a parser exist?

It can certainly be smart enough to see a <!DOCTYPE marker and barf. 
Seeing DOCTYPE is a lot different from addingentity support, as in <foo
xmlns:ds="&dsig;">, particularly if they're external entities.

I also have security concerns about DTD's.  Without any kind of security
framework in place, a tricky client could send a server a SOAOP message
with an external entity that the server will blindly access, when the
client itself was disallowed.  Do you know any XML processors that have
access-checking-callbacks on entity resolution?
	/r$
-- 
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
Received on Tuesday, 2 October 2001 21:49:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:04 GMT