W3C home > Mailing lists > Public > uri@w3.org > April 2003

Re: secure URIs

From: Trevor Perrin <trevp@trevp.net>
Date: Tue, 29 Apr 2003 23:39:58 -0700
To: Simon Josefsson <jas@extundo.com>
Cc: "Roy T. Fielding" <fielding@apache.org>, uri@w3.org
Message-id: <5.2.0.9.0.20030429232857.02f78d60@pop.comcast.net>

At 03:25 AM 4/30/2003 +0200, Simon Josefsson wrote:
> >>
> >>The characteristic I liked about my idea was that the original URL was
> >>not modified, only embedded.  This simplifies implementation slightly.
> >
> > true.  Would you want to rename "meta" to "secure" or "crypto"?  Then
> > it becomes a little more readable..
> >
> > secure:http://www.blabla...
> > secure:mailto:alice@acme.com...
>
>I agree meta: isn't very informative, so a better name would be good.
>On the other hand, secure/crypto might be too narrow.  I'm thinking
>about other possible "metadata" you might want to attach to an URL.
>E.g.:

I can't think of great uses for metadata like this beside crypto data, so I 
wouldn't mind having a "secure" scheme just targeted to document hashes, 
key/cert fingerprints, and key/cert-retrieval URLs, unless there's a 
compelling reason to broaden it.


>meta:preferred_language=fr:http://www.debian.org/
>
>Although this example is probably not a good one, as it is http
>specific.
>
> >> > I'm denoting a secure scheme by appending "-" to the base scheme,
> >> > you're denoting a secure scheme (or metadata-enhanced scheme) by
> >> > "meta", with the base scheme in the scheme-specific part.  I'm not
> >> > sure which way is better.
> >>
> >>According to RFC 2396, the '-' character is a valid trailing scheme
> >>character.  Since I assume you are not proposing to register 'http-',
> >>'ftp-', etc individually, but rather extend the base specification so
> >>this idea automatically applies to all URI schemes, using a currently
> >>invalid scheme character might be better.  Then old software will not
> >>be confused if someone is currently using a private scheme named
> >>'myownhack-://...'.  So instead it could be 'http*://...'.  Although I
> >>still prefer my idea.  It doesn't require any modification to the base
> >>specification, just a new meta: URL registration.
> >
> > Interesting..  I wanted to use asterisks, but I thought software
> > unfamiliar with secure URIs might puke on seeing a document with an
> > invalid scheme character.  So I chose "-" as a trailer since there's
> > currently no schemes using it, and I figured we could just cross our
> > fingers about private schemes.
>
>It may be safer if old software puked on it, rather than possibly
>parse it as an existing private-use URI.  But this is really mostly a
>theoretical problem.
>
>I do prefer registering one new URL scheme, instead of either
>modifying the base specification or register many URL scheme, though.

yeah..  I prefer that too, after further thought.  I'm in favor of a 
"secure" scheme with the URI first, since then it kinda reads as if "secure 
http" or whatever is the scheme name, which just looks nice:

secure:http://www.whatever.com:sha256=...
secure:mailto:alice@whatever.com:x509_sha1=...
etc..

Trevor 
Received on Wednesday, 30 April 2003 02:40:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 January 2011 12:15:31 GMT