OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
RE: [xml-dev] Features of XML Languages that Increase Complexity?

Seriously curious.
What aspect of XML makes it unsuitable for a hardened data transfer format ?
(Assuming the channel itself is hardened).

I know that the US Military is using XML to transfer strategic information in a very hardened fashion.
What aspect of XML makes that something that you would not choose ? (and some other format fares better).

Yes I know that certian *processors* of XML may have volunerability.
But what about the XML Format itself makes inherently less secure ?
It's just bits under the hood ... as with any other data format.   Isnt security and protection up to the processor of those bits ?
Not the bits themselves ?
Perhaps (likely?) I am missing something really obvious ... 

David A. Lee

-----Original Message-----
From: Simon St.Laurent [mailto:simonstl@simonstl.com] 
Sent: Sunday, April 14, 2013 1:40 PM
To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] Features of XML Languages that Increase Complexity?

On 4/14/13 12:08 PM, Costello, Roger L. wrote:
> I reckon there's not much point in creating an awesome XML language
> if its complexity exposes input-processing applications to widespread
> vulnerabilities.

It all depends on the context of that processing.  The vulnerabilities 
you see in XML seem most likely to create denial-of-service 
possibilities, and there are many many cases where at most that creates 
a headache followed by a stern note not to do that again.

If you are striving to create something hardened and operating in real 
time, you probably need either not to use XML or to build some slight 
intelligence and monitoring into your processing system.  I don't think 
any of that work is unusual today.

Letting such processing run fully automatic, especially in an 
environment you consider both critical and already compromised, seems 
like a poor software design decision.

Simon St.Laurent


XML-DEV is a publicly archived, unmoderated list hosted by OASIS
to support XML implementation and development. To minimize
spam in the archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
subscribe: xml-dev-subscribe@lists.xml.org
List archive: http://lists.xml.org/archives/xml-dev/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS