W3C home > Mailing lists > Public > uri@w3.org > April 2003

Re: secure URIs

From: Trevor Perrin <trevp@trevp.net>
Date: Tue, 29 Apr 2003 16:36:33 -0700
To: Simon Josefsson <jas@extundo.com>
Cc: "Roy T. Fielding" <fielding@apache.org>, uri@w3.org
Message-id: <5.2.0.9.0.20030429161959.02f961b0@pop.comcast.net>

At 12:59 AM 4/30/2003 +0200, Simon Josefsson wrote:

>There are merits to the idea that security metadata should not be part
>of URIs.  Here is one idea that implement the fundamental idea (which
>I still believe is useful) without modifying URIs, like the above
>approach does.
>
>The syntax would be:
>
>meta:<METADATA>:<URI>
>
>So to embed that a HTTP resource should have a certain SHA-1 hash (for
>integrity, or even authentication, purposes) would be (this happens to
>be a working example):
>
>meta:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=:http://josefsson.org/key.txt
>
>Thoughts?

I like that too.  I'd put the <URI> first, for readability.  Then it 
doesn't look too different from my suggestion.

One difference is I was using brackets to separate the URI from crypto 
data.  Since brackets aren't "uric" characters, that's probably a bad 
idea.  So if I change my initial approach to use a colon, like yours does, 
and change yours to put the URI first, we can see the remaining difference:

http-://josefsson.org/key.txt:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=
meta:http://josefsson.org/key.txt:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=

I'm denoting a secure scheme by appending "-" to the base scheme, you're 
denoting a secure scheme (or metadata-enhanced scheme) by "meta", with the 
base scheme in the scheme-specific part.  I'm not sure which way is better.

Trevor 
Received on Tuesday, 29 April 2003 19:38:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 January 2011 12:15:31 GMT