Re: XML Reeks of Insecurity: "Seven Key XML-Specific Security Issues That Must Be Addressed"

From: Scott Brown <r_dot_scott_dot_brown_at_gmail_dot_com>
Date: Mon May 02 2005 - 10:20:57 CDT

Open question: is dropping XML seriously being considered, or is this simply
JamBoi's personal crusade?

If it is seriously being considered, allow me to address Kuznetsov's
article. None of his issues are a problem. Most of them address security
over the network. The OVC system will NOT be a remotely accessible network
server (it's not going to be serving up web pages), so there is NO risk of
stoen network packets, denial of service (DOS) attacks or the like.
Furthermore, Kuznetsov's article is clearly NOT a message of "XML is
dangerously insecure". It's actually more like an "XML best practices"
document. It's not a bad read and he's advocating the use of XML. I agree
with him.

As far as security, what we should be (and have been) concerned with is the
possibility of a nefarious user getting direct terminal access to the system
and modifying or stealing voting records. Whether we're using
digitally-signed XML or digitally-signed "OVCML", this risk remains the
same.

-- Scott

On 5/2/05, JamBoi <jamboi@yahoo.com> wrote:
>
> Yeah, that's why I recommend we go with OVCML Tek. The benefits
> without the known Insecurities of XML Tek!
>
> JamBoi
>

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Tue May 31 23:17:07 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:52 CDT