W3C home > Mailing lists > Public > public-rdf-dawg@w3.org > January to March 2012

Re: Fwd: SPARQL 1.1 security considerations

From: Andy Seaborne <andy.seaborne@epimorphics.com>
Date: Tue, 03 Jan 2012 11:19:51 +0000
Message-ID: <4F02E457.9050909@epimorphics.com>
To: public-rdf-dawg@w3.org, Thomas Roessler <tlr@w3.org>

On 03/01/12 03:45, Axel Polleres wrote:
> As far as the security considerations are concerned, a few observations
> and questions:
> 1. It appears from some parts of the specification that an UPDATE sent
> to a SPARQL endpoint can cause that endpoint to send an UPDATE to
> another SPARQL endpoint.  It doesn't look as though SPARQL includes any
> considerations around authentication and authorization for these sorts
> of scenarios.  Is the first endpoint supposed to just pass on
> credentials?  Something else?   Unspecified?  It would be useful to
> explain the delegation story in the security considerations a bit more,
> even if it boils down to "haven't dealt with it yet".

This should not be possible.  A SPARQL Update language can't talk about 
or cause a remote update.

An update can contain a remote query (read-only) - maybe that is the 
confusion "SPARQL endpoint" is ambiguous as to query vs update.

Received on Tuesday, 3 January 2012 11:20:19 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:05 UTC