RE: rfc2518bis DAV DTD (was Re: How to use DTDs, or not ...) from Julian Reschke on 2003-10-15 (w3c-dist-auth@w3.org from October to December 2003)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 15 Oct 2003 10:42:47 +0200
To: "Stanley Guan" <stanley.guan@oracle.com>, <w3c-dist-auth@w3.org>
Message-ID: <JIEGINCHMLABHJBIGKBCEEADINAA.julian.reschke@gmx.de>

> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Stanley Guan
> Sent: Tuesday, October 14, 2003 10:24 PM
> To: w3c-dist-auth@w3.org
> Subject: Re: rfc2518bis DAV DTD (was Re: How to use DTDs, or not ...)
>
>
>
> Hi,
>
> I'm new on this mailing list.  So, forgive me if my questions were
> brought up before.

Sure.

> For security consideration, external XML entities are considered
> vulnerable to denial of service attack. So, I agree that WebDAV
> messages MUST not be validated using DTDs.  Or it can be
> optional, if an implementation opt to do that.

I think we need to be precise here. As far as I understand, the XML
recommendation does only define one very specific form of validation, and it
is based on the document/message declaring it's document type.

Exactly this kind of validation is completely useless in XML based
protocols: it's completely irrelevant whether a document conforms to a DTD
that the *sender* provides. It would be only interesting to validate against
the DTD expected by the *recipient*. Doing the latter of course is
completely up to the recipient -- however it must be aware of the fact that
the DTD (fragments) in RFC2518 and related specs only describe part of the
constraints, and that a recipient MUST accept way more message variations as
the DTDs (per XML rec) allow.

> Anyone else have ever thought of using XML Schema, instead of
> DTD, to validate WebDAV messages?  Any security concerns?

If the schema or the reference to the schema is provided by the sender of
the message, I think the same concerns apply. If the schema is hardwired
into the recipient, none apply.

On the other hand, I don't see any big advantage in using XML Schema as
replacement in WebDAV specs. It only solves one particular problem (DTDs
ignorance of namespaces), but is a lot harder to read. If we really decide
not to use DTD syntax anymore, we should consider a schema language that can
*really* express the DAV extensibility rules, and that's easy to read by the
(human) readers of the spec. As far as I understand, Relax NG (compact
syntax) would qualify.

You may also want to check out RFC3470 ("Guidelines for the Use of
Extensible Markup Language (XML) within IETF Protocols", section 4.7.

> Will appreciate your inputs!

Regards, Julian

--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760

Received on Wednesday, 15 October 2003 04:44:29 UTC