xsd:any

["Scott Came" <scott@justiceintegration.com>]

Don, Jim, and TC:

A follow-up to today's discussion concerning use of xsd:any versus arbitrary
attachments...

The comment was made that xsd:any represents a security threat, as it states that the
recipient must be willing to allow literally "any" valid XML structure (potentially limited to inclusion or
exclusion of specified namespaces) at the point where the xsd:any element appears.  The problem is that because of
xsd:any, the schema-aware XML parser cannot help us weed out malicious (or contagious, as Don put it) content from
acceptable, harmless content.

While I don't argue that this is in theory a threat, doesn't the same issue
exist with respect to allowing attachments?  The underlying problem is that both xsd:any and arbitrary attachments are
a mechanism whereby a sender can transmit arbitrary data.  Both xsd:any and the MIME attachment boundary are basically
equivalent signals that "here be arbitrary content (and, potentially, dragons)".  It is incumbent upon the
risk-averse recipient to check that content for harmful or subversive elements.  Only the available mechanisms for
doing so differ.

(This is not an argument in favor of using xsd:any in the Blue message schema; it was only
offered as a strawman to explore the issue Shane was raising on the call.  However, I do think it's an issue for the
TC to consider, with respect to attachments at least.)

Thanks.
--Scott