Barry, Done, draft-ietf-regext-unhandled-namespaces-07 has been posted. Let us know if you have any additional feedback.
Thanks, -- JG James Gould Fellow Engineer jgo...@verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgo...@verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 1/26/21, 1:47 PM, "Barry Leiba" <barryle...@computer.org> wrote: All good, and thanks. Go ahead and post a revised I-D when you're ready. >> The answer to all of that might be “no”, but it would be good to… as >> we used to say in school, show your work. > > Yes, the quick answer is that I don't see the server using this as a > source for an attack, but we can add a consideration to help mitigate > it. I can add the sentence "Since the unhandled namespace context is > XML that is not processed in the first pass by the XML parser, the > client SHOULD consider validating the XML when the content is > processed to protect against the inclusion of malicious content." The > content is not processed by a client that doesn't support the service, > where the <extValue> element provides a signal of the lack of client > support along with the XML content that is initially unprocessed. If > the client does decide to process the XML content systematically, the > additional sentence can provide guidance to not open up a security > hole. Do you believe this will help? Do you have any additional > recommended text? I have nothing further to recommend, and I do think it will help -- if at least to show that it was thought about, and that the "nothing new here" statement isn't just perfunctory. Thanks. Barry _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext