[sc34wg3] <mergeMap/> and security
Lars Marius Garshol
larsga at ontopia.net
Fri Apr 21 04:07:44 EDT 2006
* Robert Barta
>
> True, but the insidiousness of the attack is that - once the attacker
> has analyzed the merging procedure of a particular software - that the
> recipient has very high computational costs.
>
> You can protect yourself from it by limiting the size of the
> interchanged fragment, though.
Yes, and by restricting who can add fragments to your topic map.
I think the conclusion to this debate is that the somewhat rough and
ragged consensus is that while there are security concerns attached
to the <mergeMap/> element, they are not strong enough to warrant
leaving it out.
--
Lars Marius Garshol, Ontopian http://www.ontopia.net
+47 98 21 55 50 http://www.garshol.priv.no
More information about the sc34wg3
mailing list