On Sun, Mar 02, 2008 at 08:50:58PM +0000,
Tony Finch <dot(_at_)dotat(_dot_)at> wrote
a message of 16 lines which said:
The latest RISKS gibes an example
The actual original reference is:
http://www.w3.org/blog/systeam/2008/02/08/w3c_s_excessive_dtd_traffic
Perhaps the security considerations section of the draft should
describe some ways of mitigating it?
Yes. I suggest (continuing the first paragraph of section 7):
On the client side, implementors MUST use the existing solutions to
limit the rate of access to the origin server. They include:
* ability to use HTTP caching ([RFC 2616], section 13)
* local storage of data, together with HTTP headers like
If-Modified-Since ([RFC 2616], section 14.25)
* XML catalogs ([OASIS 2001])
On the server side, server managers should be aware that some clients
will not play nice, as described in [W3C 2008]. Server managers should
be prepared to use measures such as rate-limiting as well as IP
blacklisting of the worse offenders.
[W3C 2008] W3C's Excessive DTD Traffic. Ted
Guild. <http://www.w3.org/blog/systeam/2008/02/08/w3c_s_excessive_dtd_traffic>
[OASIS 2001] XML Catalogs Committee Specification 06 Aug 2001. Ed.:
Norman Walsh.
<http://www.oasis-open.org/committees/entity/spec-2001-08-06.html>
_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf