> Tony Finch wrote: > > The latest RISKS gibes an example of the magnitude of the problem of > > unwanted traffic caused by using URLs instead of URNs for protocol > > identification URIs. Perhaps the security considerations section of the > > draft should describe some ways of mitigating it? > > > > http://catless.ncl.ac.uk/Risks/25.07.html#subj9 > > > > Tony. > I think this is a misunderstanding. > The URI of a DTD is needed to fetch the DTD. The W3C suffers from > clients that refetch the DTD all the time. > Contrary to that, XML processors do not resolve namespace URIs, they are > purely used as identifiers. That's certainly how things are supposed to work. It may or may not be how they actually work. Some years back one of my email addresses ended up in a few of the headers of a MIME test message corpus. This corpus isn't part of any standard and was never widely promoted, and there's no obvious path by which an address in a test message header would or should be replied to. Yet the fact remains that over the years I've received hundreds of bogus responses as a result of this inclusion. The bottom line is that if something is syntactically usable people will screw up and use it; the only question is how often. For example, I could easily see some bit of code being written that attempts to resolve anything that looks like a URL no matter what context it appears in. Now, maybe in this case it won't happen often enough to matter. I certainly hope that's the case. But one of the things we're supposed to do here is try and antipicate possible difficulties, and given past history I think some concern is warranted. Ned _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf