Agree but pointing to a local DTD that you have control over would make more
sense. I guess I am not sure what would happen in P3P if the browser
couldn't connet to the dtd at W3. If the browser can't vallidaethe ploc
sodefauls to a "close on fail" type policy thewen the page wouuld not be
displaayd. Imagine if somoeone hacked th w3c servers ! Could they stop
millions of IE6 users from browsing ?

-----Original Message-----
From: jeremiahwww.whitehatsec.com
[mailto:jeremiahwww.whitehatsec.com]On Behalf Of Jeremiah Grossman
Sent: Monday, October 22, 2001 11:51 PM
To: markcurphey.com
Cc: webappsecsecurityfocus.com
Subject: Re: P3P. Poking holes

Mark Curphey wrote:

> What happens to the XML P3P policy file - Does it need to validate the
> DTD at w3c or similar ?

Well I think its best for all XML documents to reference a DTD, but it
does not exactly have to. The parser can continue if it can display
properly. But for security, DTD are essential to make sure the document
adheres to it properly.

> I have seen some amuzing applications that will
> just stop when they can't validate a DTD.

Badly designed apps me thinks.

> Basing checking privacy preferences
> on DNS wouldnt seem appropriate if it does !

DNS is another issue when the client recieves the policy. If you can
spoof the DNS entry, you might escalate privs of YOUR policy.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]