Cart
[Home] [By Thread] [By Date] [Recent Entries]
Well, terrorists can blow up an aeroplane by sending the SMS message "Hello world" to a suitably configured mobile phone. All data is executable code, given a suitable interpreter. Anyone who thinks they can achieve security by monitoring the data sent over a network (e.g. by prohibiting attachments with the file extension .ZIP or .XML) is either extremely naive, or pragmatic enough to know that it's only a very small part of the solution. Michael Kay http://www.saxonica.com/ > -----Original Message----- > From: Costello, Roger L. [mailto:costello@m...] > Sent: 12 April 2008 12:16 > To: xml-dev@l... > Subject: XML is Mobile Code? [was: Defining an XML > vocabulary: specify syntax, semantics, and BEHAVIOR?] > > Hi Folks, > > It just occurred to me ... > > We have determined that XML has two primary roles: > > 1. Encode behavior (instructions) > > 2. Encode data > > [Len, what does it mean to "encode script nodes?"] > > In its first role (encoding behavior), XML is mobile code. > For example, the XSLT vocabulary is an encoding of a certain > behavior (i.e. > an encoding of a certain set of instructions), and when you > transport an XSLT document across the Internet, you are > transporting code. > > When you transport, say, JavaScript code across the Internet, > you know the extent of the security implications since > JavaScript is a bounded syntax with bounded capabilities (and > a bounded set of security problems). > > But XML is unbounded, and the types of behavior that may be > encoded in XML is unbounded. Thus, there is no way, in > general, to assess the extent of the security implications > for arbitrary XML documents. > Yikes! > > I am surely missing something. Please tell me where my thinking errs. > > /Roger > > > ______________________________________________________________ > _________ > > XML-DEV is a publicly archived, unmoderated list hosted by > OASIS to support XML implementation and development. To > minimize spam in the archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Or unsubscribe: xml-dev-unsubscribe@l... > subscribe: xml-dev-subscribe@l... List archive: > http://lists.xml.org/archives/xml-dev/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
