Byron,

You might take a little time to understand the purpose of XML before you go bad-mouthing it. You could start with the Wiki entry:

http://en.wikipedia.org/wiki/XML

The point of XML is to provide a *standard* markup language. Application developers are dealing with various types of data all the time. If, as used to be and still is often the case, everyone used a different data format standard, you'd get frustrated *very* quickly. A 'custom scripting language' would be just that: custom. The value of XML is that once you learn to manage it, you don't have to understand all the data to work with it.

It may be that you pay for a text-based standard with some overhead, but in the machine world it's well worth it. XML is not intended for human consumption! That's also why OVAL provides 'psuedo-code' that's much more human readable.

Let's look at the case you provide: what if OVAL provided a custom scripting language for this stuff? Well, first of all, you'd have to throw out all the standard tools for dealing with XML that exist in most languages. So the overhead of processing XML is outweighed by the fact that you have to write a new library for dealing with the custom scripts.

Now expand that outside of OVAL specifically. If I'm a developer I'd much rather build an application off of a recognized standard than a custom language, right? So OVAL can more easily take advantage of the pool of developers who are comfortable with XML instead of trying to convince developers to learn their custom language.

Whatever weaknesses XML may have, it's clearly better than using a custom data format for every application out there.

That's the great thing about 'standards' - there's so many to choose from.

I'll believe there are 'standard' XML tools and 'standard' ways of doing things when I see everyone using XML in a 'standard' way ;)

Christ, we can't even get HTML properly standardized across browsers... now we want another new markup/data standard for use across an even wider variety of applications? Feh.

"XML is not intended for human consumption!" - You gotta be kidding me... let's see, it's written in English, it's text, and it's a markup language. Those are all indications that mean, intended or not, that it can and will be consumed by humans.

Hey, all we need to do now is muck it up even more with some ASN.1 and BER too.

Just for giggles, I spent a couple minutes and this is probably something like how I'd do it:

schema_version="4.2"
timestamp="20051229114905"
definition="vulnerability"
id=OVAL1433
family="windows"
os="Microsoft Windows XP","Microsoft Windows Server 2003"
arch="x86","ia64","x86-64"
submitted date="2005-12-28-10:07"
contributor organization="ThreatGuard"
contributor="Robert L. Hollis"
status="draft"
status_change date="2005-12-29-11:27"
description="'Microsoft Windows allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) format image, possibly related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.'"
reference source=cve,"CVE-2005-4560", draft, 0
test_types="registry"
registry test="Windows XP is installed", "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion", equals, 5.1
registry test="Windows Server 2003 is installed", "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion", equals, 5.2

There we go... machine and human readable, simple to parse, and without the XML fluff that in my mind adds nothing of great use.

Paraphrasing Peter Weill:

"XML is like cardboard. It is a very useful packing material because it is malleable and self-describing. Cardboard is itself a large worldwide industry because it is so useful. Often the cardboard used in packaging is heavier than the actual contents of the package. So we should not really be complaining about the “angle brackets” because that’s really not the point."
(Source: http://jimbots.com/blog/?p=12)

The cardboard analogy is quite good.

Especially since I frequently receive stuff from fools and businesses all the time where items the size of a pencil or deck of cards is packaged in a cardboard box big enough to hold a couple large dictionaries. The same kind of idiots that you see retailing a single nail-file shrink-wrapped to a piece of carboard 8" tall and 4" wide.

Cardboard is used far too frequently and in far too large amounts, is a mess to manufacture, and generally bad for the environment. Just like XML!

You know it would be very trivial to use one of the standard XML parsing libraries out there to convert this to the key/value pair format you described.

I have no doubts it would be easy. But why bother going through this step at all?

It's not like it matters, the deal is done, but I still get to gripe about it ;)