W3C home > Mailing lists > Public > uri@w3.org > April 2003

Re: secure URIs

From: Trevor Perrin <trevp@trevp.net>
Date: Tue, 29 Apr 2003 17:18:32 -0700
To: Simon Josefsson <jas@extundo.com>
Cc: "Roy T. Fielding" <fielding@apache.org>, uri@w3.org
Message-id: <5.2.0.9.0.20030429165535.02faed88@pop.comcast.net>

At 01:52 AM 4/30/2003 +0200, Simon Josefsson wrote:

>Trevor Perrin <trevp@trevp.net> writes:
>
> > At 12:59 AM 4/30/2003 +0200, Simon Josefsson wrote:
> >
> >>There are merits to the idea that security metadata should not be part
> >>of URIs.  Here is one idea that implement the fundamental idea (which
> >>I still believe is useful) without modifying URIs, like the above
> >>approach does.
> >>
> >>The syntax would be:
> >>
> >>meta:<METADATA>:<URI>
> >>
> >>So to embed that a HTTP resource should have a certain SHA-1 hash (for
> >>integrity, or even authentication, purposes) would be (this happens to
> >>be a working example):
> >>
> >>meta:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=:http://josefsson.org/key.txt
> >>
> >>Thoughts?
> >
> > I like that too.  I'd put the <URI> first, for readability.  Then it
> > doesn't look too different from my suggestion.
>
>The characteristic I liked about my idea was that the original URL was
>not modified, only embedded.  This simplifies implementation slightly.

true.  Would you want to rename "meta" to "secure" or "crypto"?  Then it 
becomes a little more readable..

secure:http://www.blabla...
secure:mailto:alice@acme.com...


> > One difference is I was using brackets to separate the URI from crypto
> > data.  Since brackets aren't "uric" characters, that's probably a bad
> > idea.  So if I change my initial approach to use a colon, like yours
> > does, and change yours to put the URI first, we can see the remaining
> > difference:
> >
> > http-://josefsson.org/key.txt:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=
> > meta:http://josefsson.org/key.txt:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=
> >
> > I'm denoting a secure scheme by appending "-" to the base scheme,
> > you're denoting a secure scheme (or metadata-enhanced scheme) by
> > "meta", with the base scheme in the scheme-specific part.  I'm not
> > sure which way is better.
>
>According to RFC 2396, the '-' character is a valid trailing scheme
>character.  Since I assume you are not proposing to register 'http-',
>'ftp-', etc individually, but rather extend the base specification so
>this idea automatically applies to all URI schemes, using a currently
>invalid scheme character might be better.  Then old software will not
>be confused if someone is currently using a private scheme named
>'myownhack-://...'.  So instead it could be 'http*://...'.  Although I
>still prefer my idea.  It doesn't require any modification to the base
>specification, just a new meta: URL registration.

Interesting..  I wanted to use asterisks, but I thought software unfamiliar 
with secure URIs might puke on seeing a document with an invalid scheme 
character.  So I chose "-" as a trailer since there's currently no schemes 
using it, and I figured we could just cross our fingers about private schemes.

But either way, following my suggestion we'd have to change the base 
specification to disallow future use of "-" as a trailer, or allow use of 
"*" as a trailer, whereas your proposal doesn't impact the base spec.  If 
you changed "meta" to "secure", I'd probably prefer your approach (I'd need 
to think about it a bit more), since it's also more readable.

Trevor 
Received on Tuesday, 29 April 2003 20:19:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 January 2011 12:15:31 GMT