If there is a bug in the XML parser libraries in use today it will be
quickly uncovered by other applications where the consequences are likely
to be more than a DDoS attack.
I wouldn't disagree. The main argument agains XML in MARID is that
designing for "extensibility" when we have no experience or agreement on
what directions the extensions will take is unlikely to be useful. I
think it's also a reasonable concern that a design that makes it easy to
load up MARID records with lots of data is likely to lead to far more >512
DNS responses than we've had before, and we have no experience to tell us
how much of a problem that will be, either.
And in any case, if you are still using a language that is vulnerable to
buffer overflow issues you are a decade out of date.
Wel, sure, I write all my applications in perl these days. My MTA, like
most MTAs, is written in C but it uses a set of string libraries that
don't have the usual buffer overflow problems.
Or course, there are a lot more kinds of bugs than buffer overflows,
particularly if the semantics of your language (XML or otherwise) can
induce its clients to fetch arbitrary data from sites of your choosing.
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.