[Top] [All Lists]

Re: draft-duerst-iana-namespace-00.txt

2008-03-02 16:40:44
Tony Finch wrote:
The latest RISKS gibes an example of the magnitude of the problem of
unwanted traffic caused by using URLs instead of URNs for protocol
identification URIs. Perhaps the security considerations section of the
draft should describe some ways of mitigating it?


I think this is a misunderstanding.

The URI of a DTD is needed to fetch the DTD. The W3C suffers from
clients that refetch the DTD all the time.

Contrary to that, XML processors do not resolve namespace URIs, they are
purely used as identifiers.

That's certainly how things are supposed to work. It may or may not be how they
actually work.

Some years back one of my email addresses ended up in a few of the headers of a
MIME test message corpus. This corpus isn't part of any standard and was never
widely promoted, and there's no obvious path by which an address in a test
message header would or should be replied to. Yet the fact remains that over
the years I've received hundreds of bogus responses as a result of this

The bottom line is that if something is syntactically usable people will screw
up and use it; the only question is how often. For example, I could easily see
some bit of code being written that attempts to resolve anything that looks
like a URL no matter what context it appears in.

Now, maybe in this case it won't happen often enough to matter. I certainly
hope that's the case. But one of the things we're supposed to do here is try
and antipicate possible difficulties, and given past history I think some
concern is warranted.

IETF mailing list