RE: [xml-dev] XML is Mobile Code? [was: Defining an XML vocabulary: spe

["Len" <cbullard@hiwaay.net>]

Yes.  XML is analogous to a piano roll if a piano roll could be put into any
device and the device could recognize it as a piano roll even it isn't a
piano.

But to play, a player piano is required.

Implications to security:  please elaborate on why security at this level is
not worth discussing.

The delineation of behavior and data enables the recognition of the data
syntax but not its interpretation so it can have multiple interpretations.
But there is a observable limit on the size of the set of useful
interpretations.  How that limit is related to the values of the selectors
acting over the set within the sets to which it is related determines the
interpretation set.

len


From: Elliotte Harold [mailto:elharo@metalab.unc.edu] 
 
Costello, Roger L. wrote:
> Hi Folks,
> 
> It just occurred to me ...
> 
> We have determined that XML has two primary roles:
> 
>     1. Encode behavior (instructions)
> 
>     2. Encode data
> 
> I am surely missing something.  Please tell me where my thinking errs.
> 

Your error is in clearly delineating behavior and data. There's not 
really such an obvious distinction. Encoded instructions are data. 
Whether any given XML stream (or byte stream) is interpreted as 
instructions depends on the process reading them. It is not fundamental 
in the data itself.

XML encodes information. There is no limit on the information it 
encodes. *Anything* that can be digitized can be encoded in XML. At a 
base level, the security implications of XML are the same as the 
security implications of arbitrary binary data.

It is not clear that discussing security at this level is useful.