OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

entity-resolution message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [entity-resolution] RE: OASIS - Catalog Threat ?

Well, I guess we should discuss this before disbanding the ER TC ;-) Can 
we do it by email, or should we hold a phone call?


Mary McRae said the following on 05/02/2007 6:13 AM:
> Hi Lauren,
>   This email was sent to communications (Carol Geyer).
> Regards,
> Mary
>> -----Original Message-----
>> From: Steven J. Hathaway [mailto:shathawa@e-z.net]
>> Sent: Sunday, February 04, 2007 12:28 PM
>> To: communications@oasis-open.org
>> Subject: OASIS - Catalog Threat ?
>> I recommend that (Sec: 4.1.1) of the OASIS entity resolver 
>> catalog specification be revised to help avoid the 
>> development of products that have misleading identifier trust.
>> OASIS is a general entity resolver and catalog.  It can now 
>> be used with XML.  The specification document (Sec: 4.1.1) 
>> describing the 'prefer' attribute may harbor a security 
>> threat related to identifier trust.
>> Normally, the Public identifiers have global scope, and 
>> therefore a high probability of trust.  The System 
>> identifiers normally have a restricted scope - that of a 
>> specific system - and therefore do not have the global trust.
>> When a document is passed between systems, it is undefined 
>> what the scope of System identifier implies.  Herein lies an 
>> OASIS catalog threat.  A document may have both Public and 
>> System identifiers proclaiming to be associated with the 
>> Public resource.  Since the document could be received from a 
>> foreign system, the Public and System identifiers may no 
>> longer define the same resource. The System identifiers in 
>> messages received from foreign systems should have a lower 
>> threshold of trust than Public identifiers.
>> The 'prefer' attribute is often set to 'public' for a catalog 
>> or group.  And if both a Public and System identifier for the 
>> resource reside in the catalog, the System replacement text 
>> is used.  Most developers would imply that the Public 
>> replacement text should be used (See Section 4.1.1. table).
>> The 'prefer' attribute should be set to 'system' to handle 
>> those documents that are only generated and consumed by the 
>> same system.
>> Sincerely,
>> Steven J. Hathaway
>> Email: shathawa@e-z.net

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]