Re: draft-duerst-iana-namespace-00.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Mar 02, 2008 at 08:50:58PM +0000,
 Tony Finch <dot@xxxxxxxx> wrote 
 a message of 16 lines which said:

> The latest RISKS gibes an example 

The actual original reference is:

http://www.w3.org/blog/systeam/2008/02/08/w3c_s_excessive_dtd_traffic

> Perhaps the security considerations section of the draft should
> describe some ways of mitigating it?

Yes. I suggest (continuing the first paragraph of section 7):

On the client side, implementors MUST use the existing solutions to
limit the rate of access to the origin server. They include:

* ability to use HTTP caching ([RFC 2616], section 13)
* local storage of data, together with HTTP headers like
  If-Modified-Since ([RFC 2616], section 14.25)
* XML catalogs ([OASIS 2001]) 

On the server side, server managers should be aware that some clients
will not play nice, as described in [W3C 2008]. Server managers should
be prepared to use measures such as rate-limiting as well as IP
blacklisting of the worse offenders.


[W3C 2008] W3C's Excessive DTD Traffic. Ted
Guild. <http://www.w3.org/blog/systeam/2008/02/08/w3c_s_excessive_dtd_traffic>

[OASIS 2001] XML Catalogs Committee Specification 06 Aug 2001. Ed.:
Norman Walsh.
<http://www.oasis-open.org/committees/entity/spec-2001-08-06.html>

_______________________________________________
IETF mailing list
IETF@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]