Re: Validing parser required?

[Julian Reschke <julian.reschke@xxxxxx>]

Sam Ruby wrote:

> In the interest of being "cleanly and thoroughly specified", the AtomPub 
> Working Group should decide whether consumers should be required to use 
> validating XML parsers in order to consistently and correctly handle the 
> Atom feed and protocol.
> ...

I think this discussion is pointless unless there'll be a normative 
schema (in the generic sense) that *can* be used to validate Atom. As 
far as I understand namespace usage and extension rules already rule out 
DTDs and XML Schema.

Are we prepared to require something else like RNG? I doubt so.

On the other hand (as others pointed out), allowing document types 
introduces several kinds of Denial-of-Service attacks, and generally 
makes little sense, unless the recipient *always* validates against it's 
own copy of the DTD instead of the one reference in the request.

WebDAV faces a similar problem, and the current consensus seems to be:

- recipients MUST NOT attempt to validate the message, and
- recipients MAY reject certain DTD subsets in requests (such as when 
external entities are referenced, or the recipient detects situations 
like the one called the "billion laughs attack"

Regards, Julian

--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760