[Bug 11] Protection against XML Denial Of Service attacks from bugzilla@soe.ucsc.edu on 2005-11-29 (w3c-dist-auth@w3.org from October to December 2005)

From: <bugzilla@soe.ucsc.edu>
Date: Tue, 29 Nov 2005 10:26:17 -0800
To: w3c-dist-auth@w3.org
Message-Id: <200511291826.jATIQHEL006234@ietf.cse.ucsc.edu>

http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=11





------- Additional Comments From julian.reschke@greenbytes.de  2005-11-29 10:26 -------
Proposed resolution: follow pointers from
<http://greenbytes.de/tech/webdav/draft-reschke-webdav-rfc2518bis-latest.html#rfc.issue.bz011>,
summary:

Removed section explaining why 503 is a candidate status code for detected DOS
attacks (this doesn't make any sense at all, because if a server indeed detects
a DOS attack, it will signal a client error, not a "not now, but maybe later"
condition). Rename Section Section 19.6 to "Implications of XML entities", and
also expain the so-called one-billion-laughs-attack over there. Expand Section
8.1.1 to point to the various risks described in Section 19, and give advice on
how to reject those requests.



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

Received on Tuesday, 29 November 2005 18:26:50 UTC