All good, and thanks. Go ahead and post a revised I-D when you're ready.
>> The answer to all of that might be “no”, but it would be good to… as >> we used to say in school, show your work. > > Yes, the quick answer is that I don't see the server using this as a > source for an attack, but we can add a consideration to help mitigate > it. I can add the sentence "Since the unhandled namespace context is > XML that is not processed in the first pass by the XML parser, the > client SHOULD consider validating the XML when the content is > processed to protect against the inclusion of malicious content." The > content is not processed by a client that doesn't support the service, > where the <extValue> element provides a signal of the lack of client > support along with the XML content that is initially unprocessed. If > the client does decide to process the XML content systematically, the > additional sentence can provide guidance to not open up a security > hole. Do you believe this will help? Do you have any additional > recommended text? I have nothing further to recommend, and I do think it will help -- if at least to show that it was thought about, and that the "nothing new here" statement isn't just perfunctory. Thanks. Barry _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
