[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: OASIS - Catalog Threat ?
Hi Lauren, This email was sent to communications (Carol Geyer). Regards, Mary > > -----Original Message----- > From: Steven J. Hathaway [mailto:firstname.lastname@example.org] > Sent: Sunday, February 04, 2007 12:28 PM > To: email@example.com > Subject: OASIS - Catalog Threat ? > > I recommend that (Sec: 4.1.1) of the OASIS entity resolver > catalog specification be revised to help avoid the > development of products that have misleading identifier trust. > > OASIS is a general entity resolver and catalog. It can now > be used with XML. The specification document (Sec: 4.1.1) > describing the 'prefer' attribute may harbor a security > threat related to identifier trust. > > Normally, the Public identifiers have global scope, and > therefore a high probability of trust. The System > identifiers normally have a restricted scope - that of a > specific system - and therefore do not have the global trust. > > When a document is passed between systems, it is undefined > what the scope of System identifier implies. Herein lies an > OASIS catalog threat. A document may have both Public and > System identifiers proclaiming to be associated with the > Public resource. Since the document could be received from a > foreign system, the Public and System identifiers may no > longer define the same resource. The System identifiers in > messages received from foreign systems should have a lower > threshold of trust than Public identifiers. > > The 'prefer' attribute is often set to 'public' for a catalog > or group. And if both a Public and System identifier for the > resource reside in the catalog, the System replacement text > is used. Most developers would imply that the Public > replacement text should be used (See Section 4.1.1. table). > > The 'prefer' attribute should be set to 'system' to handle > those documents that are only generated and consumed by the > same system. > > Sincerely, > Steven J. Hathaway > Email: firstname.lastname@example.org >