- From: Nathan <nathan@webr3.org>
- Date: Tue, 18 May 2010 11:40:48 +0100
- To: Niklas Lindström <lindstream@gmail.com>
- CC: Linked Data community <public-lod@w3.org>
Niklas Lindström wrote: > Hi all! > > Does there exist any advice regarding whether HTTPS URI:s constitute > good identifiers (canonical URI:s)? Or is the HTTPS protocol an > implementation detail better led to via redirection, HTTP Upgrade or > similar? > > And would it be fair to claim that non-HTTPS URI:s are "potentially > harmful" due to the risk of man-in-the-middle attacks? Or is (e.g.) > HTTPS not enough by itself (since trusting a certificate is still up > to the carefulness of clients), so it would be moot to promote it by > itself in Linked Data scenarios? I suppose that using HTTPS for each > URI leads to higher demands on the publisher, but I'd prefer more > solid arguments for/against recommending it.. Good questions :) I'd also add: 1: HTTPS URIs for webid's are still open to man in the middle attacks via dns re-routing because the webid doesn't contain a fingerprint of the public key - DNSSEC should address this (others have pointed me to this, I'm not so clever as to have realised myself!) 2: What does it mean to GET from an http scheme URI, but PUT/DELETE from an https scheme URI - this appears to be a grey area (?) where: http://example.org/resource https://example.org/resource could be (and are) the same resource but have different identifiers, hence the above question (especially if protected by web access control). Best, Nathan
Received on Tuesday, 18 May 2010 10:41:39 UTC