On Sun, Mar 02, 2008 at 08:50:58PM +0000, Tony Finch <dot@xxxxxxxx> wrote a message of 16 lines which said: > The latest RISKS gibes an example The actual original reference is: http://www.w3.org/blog/systeam/2008/02/08/w3c_s_excessive_dtd_traffic > Perhaps the security considerations section of the draft should > describe some ways of mitigating it? Yes. I suggest (continuing the first paragraph of section 7): On the client side, implementors MUST use the existing solutions to limit the rate of access to the origin server. They include: * ability to use HTTP caching ([RFC 2616], section 13) * local storage of data, together with HTTP headers like If-Modified-Since ([RFC 2616], section 14.25) * XML catalogs ([OASIS 2001]) On the server side, server managers should be aware that some clients will not play nice, as described in [W3C 2008]. Server managers should be prepared to use measures such as rate-limiting as well as IP blacklisting of the worse offenders. [W3C 2008] W3C's Excessive DTD Traffic. Ted Guild. <http://www.w3.org/blog/systeam/2008/02/08/w3c_s_excessive_dtd_traffic> [OASIS 2001] XML Catalogs Committee Specification 06 Aug 2001. Ed.: Norman Walsh. <http://www.oasis-open.org/committees/entity/spec-2001-08-06.html> _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf