W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: Standardizing Firefox's Implementation of Link Fingerprints

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Tue, 3 Jul 2007 11:59:09 +1000
Message-Id: <226A6E7B-B426-449E-9034-832FF7E33A18@yahoo-inc.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
To: Edward Lee <edilee@mozilla.com>

+1; standardising the format of metadata in a URI is bad practice.  
Yes, making the hash external to the link means you need some way to  
carry it -- such as another attribute -- but link metadata is a  
problem in other domains too, and piling it all into the URL is going  
to end up as a mess.

Doing it this way makes the Web much more brittle, and just pushes  
the problem one step along -- if the links are compromised, the same  
risks are present.

Please don't do this.


On 2007/07/03, at 11:04 AM, Roy T. Fielding wrote:

>
> On Jul 2, 2007, at 4:21 PM, Edward Lee wrote:
>> For Firefox 3, there are patches [1] that implement Link  
>> Fingerprints,
>> which provide automatic resource verification for URIs that look like
>> http://site.com/file#hash(sha256:abc123) so that link providers  
>> can be
>> sure that end users download the exact file that the provider  
>> intended
>> (and not a trojaned download).
>
> Identifiers should not be abused in this way.  Adding metadata to a  
> URI
> that is orthogonal to its identifying purpose duplicates the space of
> references and splits the power of the resulting resources.  The same
> task can be accomplished better by specifying the hash in an attribute
> of the link/anchor instead, and deploying that is far less likely to
> confuse existing clients.
>
> ....Roy
>
>

--
Mark Nottingham       mnot@yahoo-inc.com
Received on Tuesday, 3 July 2007 01:59:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT