OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Here's why it's not always a good idea to embed validationinformation (e.g., schemaLocation) in instance documents

Richard Salz wrote:
>> Your presentation looks good, but I'm not sure it goes far enough. Was 
>> there ever a good reason to embed validation information in an instance 
>> document? Isn't that fundamentally backwards, like trusting a thief 
>> because /he says/ he's not a thief?
> Sometimes you might have reason to trust the sender. Or the implications 
> of getting it wrong if you do trust him may not matter.  Or the cost of 
> doing out of band configuration may exceed the costs of getting the trust 
> wrong.  For example, if you are building generic XML stuff (like, say an 
> appliance :).

I agree those are reasons - they just aren't good reasons :-).

> We support schemaLocation.  But we also have a configuration operation 
> that passes the URL's through a set of rewrite rules so that, e.g., you 
> can rewrite remote schema to a local version that you trust.

The default ought to be secure and fulfil most use cases. I don't 
understand why schemaLocation isn't at least turned off by default in 
more schema validators.


John Snelson, Oracle Corporation            http://snelson.org.uk/john
Berkeley DB XML:            http://oracle.com/database/berkeley-db/xml
XQilla:                                  http://xqilla.sourceforge.net

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS