W3C home > Mailing lists > Public > site-comments@w3.org > June 2007

Re: [Fwd: shorter /TR links and https://w3.org]

From: Ted Guild <ted@w3.org>
Date: Thu, 31 May 2007 21:16:24 -0400
To: Jacek Kopecky <jacek.kopecky@deri.org>, "Ian B. Jacobs" <ij@w3.org>
Cc: w3t-sys@w3.org
Message-ID: <nnbvee81nkn.fsf@dev-null.guilds.net>


> -------- Forwarded Message --------
>> From: Jacek Kopecky <jacek.kopecky@deri.org>
>> Subject: shorter /TR links and https://w3.org
[]
>> I have two items on the Website as it stands:
>> 
>> 1) I suggest that w3.org be accessible over HTTPS, if only for
>> Member-only resources. I'm getting tired of the feeling that I'm sending
>> my W3C credentials over HTTP Basic authentication. Using a self-signed
>> certificate would be sufficient from my POV.

Jacek,

Thank you for the suggestions.  I will only respond to the first, you
should receive a reply on the second as well.  We have been unhappy
with Basic Authentication but bound to it over Digest Authentication
for a number of years due to an implementation problem (it doesn't
implement https correctly) in several versions of a particular, widely
used client.  There is now a sufficient workaround for that client and
we are considering, testing a development version of our custom Apache
auth module in fact, moving in that direction.

We are also just starting to evaluate OpenID as potentially more
suitable for us for a number of reasons including Digest
Authentication cannot be proxied by services (W3C pubrules, XSLT, our
Validators, online Tidy, etc.).

Serving all W3C content over SSL, redirecting to https only if
authentication is required, would double the number of authenticated
requests and the second request over SSL would cost us more in CPU
resources encrypting the entire communication not just the
credentials.  Our server budget and volume of traffic on www.w3.org,
lists.w3.org and other servers have persuaded us not to do this.  We
would also have the problem of https://www.w3.org being advertised
(linked) by users for resources where no authorization is required.

Regards,

-- 
Ted Guild <ted@w3.org>
W3C Systems Team
http://www.w3.org
Received on Friday, 1 June 2007 01:17:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 24 October 2012 16:21:30 GMT