I'd be very surprised if XML MARID documents exercised every single
line of code in your XML library, so the absolute size of the
library isn't necessarily significant, is it?
Bad guys can publish any complex and hostile MARID documents they
want. Typical MARID documents are indeed likely to be pretty simple,
but if word gets around that there's a bug in an XML library, how long
will it take until there's MARID data to exploit it? Minutes, I'd
guess.
Yes, using XML exposes you to risks associated with possible faults in code
used to parse XML. I don't think anyone will deny this. My issue was with
the alleged magnitude of this risk. Suppose, for instance, that resolving
of external entities is never undertaken when parsing MARID-XML. So the
library code that supports this should never be executed. Hence the
MARID-XML parser is likely to be immune to exploits based on faults in this
particular code, no matter what bizarre document an 'attacker' publishes.
I'm sure it would be possible to estimate the XML library code coverage
obtained with MARID XML, look at the bug history of your library, and come
up with a good guess for the risk. I'd guess it's likely to be somewhere
between zero and 100% :-)
There's also the question of what the consequence of such a fault would be?
DOS? Spam from the attacking domain? Something worse?
Something like SPF-original might be done with a small and proven parser.
So the XML-associated risk is avoided, but at what cost?
Of course, the only way for recipients to avoid all risk in processing
MARID is not to do it. You make a strong argument for publisher execution
of the MARID statement.