• From: Elliotte Harold <elharo@m...>
• To: "Costello, Roger L." <costello@m...>
• Date: Sat, 12 Apr 2008 07:27:42 -0700

Costello, Roger L. wrote:
> Hi Folks,
> 
> It just occurred to me ...
> 
> We have determined that XML has two primary roles:
> 
>     1. Encode behavior (instructions)
> 
>     2. Encode data
> 
> I am surely missing something.  Please tell me where my thinking errs.
> 

Your error is in clearly delineating behavior and data. There's not 
really such an obvious distinction. Encoded instructions are data. 
Whether any given XML stream (or byte stream) is interpreted as 
instructions depends on the process reading them. It is not fundamental 
in the data itself.

XML encodes information. There is no limit on the information it 
encodes. *Anything* that can be digitized can be encoded in XML. At a 
base level, the security implications of XML are the same as the 
security implications of arbitrary binary data.

It is not clear that discussing security at this level is useful.

-- 
Elliotte Rusty Harold  elharo@m...
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/

• References:
  • Re: Defining an XML vocabulary: specify syntax, semanti cs, and BEHAVIOR?
    • From: "bryan rasmussen" <rasmussen.bryan@g...>
  • RE: Defining an XML vocabulary: specify syntax, semanti cs, and BEHAVIOR?
    • From: "Len" <cbullard@h...>
  • Re: Defining an XML vocabulary: specify syntax, semanti cs, and BEHAVIOR?
    • From: "bryan rasmussen" <rasmussen.bryan@g...>
  • XML is Mobile Code? [was: Defining an XML vocabulary: specify syntax, semantics, and BEHAVIOR?]
    • From: "Costello, Roger L." <costello@m...>