Valid RDF and security

Robb Shecter shecter at
Mon Feb 15 18:13:56 GMT 1999


A week or so ago, someone asked how a piece of RDF can be validated,
analogous to the way that a piece of XML can be validated with a DTD.  I
don't think anybody answered this, or I missed the answer. (?)  I'm new
to RDF, and don't know the answer, because as I understand it,
validating RDF would mean making sure that the document properly follows
(say) Dublin Core, and DC is defined as a schema, not as a DTD. (?)

I have concrete application, and so this isn't just an esoteric question
to me:

I'm working on an OO framework for gathering metadata from various
websites, and presenting it in a nice way for browsing.  Most sites have
their own home-made metadata format (see ).  OO design makes my task easy:  I
use the Adapter pattern.  I write an adapter for each site that converts
its file format into an object model that then gets digested by the rest
of my framework.

Now, what if I want to make this scalable by shifting the burden of
writing these adapters to the site administrators themselves?

Idea 1:  Have webadmins write Java adapter classes that my framework
would dynamically load via http.  This sounds cool, is possible
(servlets do this), but has a security risk:  These webadmins at
external sites are untrusted.  If I load and link their code on the fly,
it could be programmed to do any number of destructive things on my

Idea 2:  Specify that webadmins must make an XML document available via
http. The format would be simple like:

     <NewsItem title="Java's not dead" url="http://...." />

...I also write a DTD for this, and make it publicly available.  Then, I
write one adapter for my framework that parses this XML, and throws an
exception if it doesn't match the DTD.  And here, I see an advantage to
the fact that XML is like objects without behavior.  Because, that makes
it secure.  An XML document can't damage my server, and with a DTD I can
guarantee that the 3rd party has conformed to my interface.  The DTD in
fact has taken the place of the Java "interface" that the 3rd party web
admins would have had to implement.

Idea 3: Well, after reading about RDF, it seems like I'm reinventing the
wheel a bit.  RDF is designed to do just what I was thinking about in
2.  But, how do I validate it?  And in my application, I really need the
validation, because the validation enforces program functioning and

Thanks for any comments,
- Robb

xml-dev: A list for W3C XML Developers. To post, mailto:xml-dev at
Archived as: and on CD-ROM/ISBN 981-02-3594-1
To (un)subscribe, mailto:majordomo at the following message;
(un)subscribe xml-dev
To subscribe to the digests, mailto:majordomo at the following message;
subscribe xml-dev-digest
List coordinator, Henry Rzepa (mailto:rzepa at

More information about the Xml-dev mailing list