On Tim Bray's "Exception" to Postel's Law

Posted on March 1, 2022

Postel’s Law is often applied when implementing network protocols. In its most common form, the Law instructs implementers to “Be conservative in what you transmit and liberal in what you accept.”

Tim Bray gives the following malformed XML snippet as (what he argues is) an obvious exception to Postel’s Law:


The context of his example is “an equity-trade execution module receiving messages from traders.” Bray thinks that it is obvious that an XML implementer should reject this message, even though Postel’s Law might encourage an implementation to accept it. He argues that it would be reckless to assume that the amount is correct, because the closing XML tags might not be the only things missing. We could, for example, be missing trailing zeros too.

However, the problem that Bray has identified does not actually arise if the broader stock trading protocol is designed properly. It only would arise if the trading protocol depended on XML for stream reliability (a service that XML is not designed to provide).

Presumably, this XML message is just one detail in a larger protocol that defines how to request a stock trade. In context, the stock trading protocol might be defined roughly as follows:

To make a trade, send a Trade message identifying the stock with its ticker symbol and the number of shares you wish to trade. A positive amount indicates that the specified number of shares should be purchased, and a negative amount indicates that the specified number of shares should be sold. A message with a zero amount will be ignored.

Trade messages must be encoded using XML, according to the following schema: [XML schema omitted]

Messages must be transmitted over TCP.

With these additional details, it is clear that there could not be any missing trailing zeros in our XML Trade message, even if the implementation sending the message has omitted trailing XML tags. Our protocol requires that messages be transmitted over TCP, which provides reliable delivery of a stream. An implementation of TCP that returns stream data without error when the sender has not sent a Finish message is not merely an implementation that is liberal in what it accepts; it is an incorrect implementation that does not provide the reliability required by TCP.

There may be other arguments against Postel’s Law, but Bray’s is not one of them.

Bray’s example does, however, exemplify two important principles in protocol design and implementation:

  1. Protocols should clearly define the properties that all implementations must satisfy.
  2. Implementers must ensure that their implementation satisfies the protocol properties, even if it accepts input more liberally than the protocol allows.

TCP is clearly intended to provide reliable stream delivery, so any implementation that is so liberal as to compromise stream integrity is a broken implementation. XML, on the other hand, makes no guarantees about stream integrity. It is focused on providing semantic markup for text documents. Any liberality in parsing XML that compromises the semantic meaning of the document would be incorrect. In Bray’s example, the meaning of the document seems perfectly clear, so accepting it as a valid XML document is an acceptable application of Postel’s Law.

(PS: It may be wise to include additional mechanisms in our stock trading protocol to ensure reliability in the face of incorrect TCP implementations, but that does not affect our argument.)