[Top] [All Lists]

Re: draft-duerst-iana-namespace-00.txt

2008-03-03 04:21:37
On Sun, Mar 02, 2008 at 08:50:58PM +0000,
 Tony Finch <dot(_at_)dotat(_dot_)at> wrote 
 a message of 16 lines which said:

The latest RISKS gibes an example 

The actual original reference is:

Perhaps the security considerations section of the draft should
describe some ways of mitigating it?

Yes. I suggest (continuing the first paragraph of section 7):

On the client side, implementors MUST use the existing solutions to
limit the rate of access to the origin server. They include:

* ability to use HTTP caching ([RFC 2616], section 13)
* local storage of data, together with HTTP headers like
  If-Modified-Since ([RFC 2616], section 14.25)
* XML catalogs ([OASIS 2001]) 

On the server side, server managers should be aware that some clients
will not play nice, as described in [W3C 2008]. Server managers should
be prepared to use measures such as rate-limiting as well as IP
blacklisting of the worse offenders.

[W3C 2008] W3C's Excessive DTD Traffic. Ted
Guild. <>

[OASIS 2001] XML Catalogs Committee Specification 06 Aug 2001. Ed.:
Norman Walsh.

IETF mailing list