OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

entity-resolution message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: OASIS - Catalog Threat ?

Hi Lauren,

  This email was sent to communications (Carol Geyer).



> -----Original Message-----
> From: Steven J. Hathaway [mailto:shathawa@e-z.net]
> Sent: Sunday, February 04, 2007 12:28 PM
> To: communications@oasis-open.org
> Subject: OASIS - Catalog Threat ?
> I recommend that (Sec: 4.1.1) of the OASIS entity resolver 
> catalog specification be revised to help avoid the 
> development of products that have misleading identifier trust.
> OASIS is a general entity resolver and catalog.  It can now 
> be used with XML.  The specification document (Sec: 4.1.1) 
> describing the 'prefer' attribute may harbor a security 
> threat related to identifier trust.
> Normally, the Public identifiers have global scope, and 
> therefore a high probability of trust.  The System 
> identifiers normally have a restricted scope - that of a 
> specific system - and therefore do not have the global trust.
> When a document is passed between systems, it is undefined 
> what the scope of System identifier implies.  Herein lies an 
> OASIS catalog threat.  A document may have both Public and 
> System identifiers proclaiming to be associated with the 
> Public resource.  Since the document could be received from a 
> foreign system, the Public and System identifiers may no 
> longer define the same resource. The System identifiers in 
> messages received from foreign systems should have a lower 
> threshold of trust than Public identifiers.
> The 'prefer' attribute is often set to 'public' for a catalog 
> or group.  And if both a Public and System identifier for the 
> resource reside in the catalog, the System replacement text 
> is used.  Most developers would imply that the Public 
> replacement text should be used (See Section 4.1.1. table).
> The 'prefer' attribute should be set to 'system' to handle 
> those documents that are only generated and consumed by the 
> same system.
> Sincerely,
> Steven J. Hathaway
> Email: shathawa@e-z.net

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]