RE: Do resources have representations? from Jon Hanna on 2003-07-28 (www-rdf-interest@w3.org from July 2003)

From: Jon Hanna <jon@spin.ie>
Date: Mon, 28 Jul 2003 18:39:23 +0100
To: <www-rdf-interest@w3.org>
Message-ID: <NDBBLCBLIMDOPKMOPHLHAEGHFGAA.jon@spin.ie>
> A simple problem with this is: I can make an HTML page and publish it at
> uri1. Additionally I can state (maybe in metadata inside the page) that
> uri1 owl:sameAs <http://www.w3.org/>.
>
> If your browser retrieves this page through HTTP, it can conclude that
> uri1 *really* is owl:sameAs <http://www.w3.org/>. Why? Because the
> person who owns that URI (me) has made a statement to that effect.
>
> Even if everything that I claim about the resource identified by both
> uri1 and <http://www.w3.org/> is in fact not true, that doesn't change
> the fact that the two URIs identify the same resource; as the owner of
> uri1, I can state that axomiatically, which makes it true...
>
> Therefore, following your logic, your browser could serve *anything* I
> put up at uri1 when you ask it for <http://www.w3.org/>. (If
> <http://www.w3.org/> denotes a web page, that's not a problem; I can
> still create another URI to denote the same web page!)

Who do you know? Who do you trust? Who said what?

uri1Owner says uri1 is the same as w3.org. Do I trust uri1Owner?
Even if I do, do I trust what uri1Owner has to say about w3.org (I may
consider him honest but misinformed).

Let's say dereferencing uri1 gives us the document:

<html>W3.org is full of rubbish</html>

It isn't valid HTML, but then is the author of the above going to care about
valid HTML :)

Well, say I don't agree with uri1Owner. I can put something on the web
(semantic or otherwise) that says so:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
	<head><title>My opinions of uri1Owner</title></head>
	<body><p>I don't agree with uri1Owner's opinions of w3.org</p></body>
</html>

I of course make my XHTML valid...

This is all part and parcel of the way the web works and the freedom of
speech which most of us enjoy to varying degrees depending on jurisdiction
and ability to hire good lawyers.

On the semantic web we are going to have the same freedom. It's pretty much
impossible to prevent us having that freedom through technological means
(and I sure as hell don't want to try to explain all this to my lawyer, as
relatively l33t as she may be).

For security reasons software dealing with this stuff should generally
assume that most people are malicious and the rest are idiots as far as
possible. To accept the identification of uri1 and http://www.w3.org/ I'm
going to want either to be told this by somebody I trust, or at the very
least be told this by both uri1Owner and the W3C (I would take the W3Cs word
for it that what I can retrieve from uri1 is a valid representation of
http://www.w3.org/, but not the inverse). Even in this case I would retry
the URI I was given after the information on the identification of the same
resource by the two URIs became stale. Existing mechanisms should be enough
to prevent a security issue.

> When clicking on the link, in the tradition of Web pages I'd still
> expect to be taken to the Web page that the person of the link referred
> me to, not to some other description of the same person.
>
> I think that this is described well by what Peter said-- when I make the
> link in HTML, it not only represents a resource, but also gives a
> particular point of view on that resource (in Peter's terms, an
> intension).

Yes, But that is application defined. If I opened up dirtDigger2.0[1] and
fire in an email address I *want* lots of "I hate these people" style
representations. Applications always provide there own semantics on top of
whatever data is worked on. Some SemWeb applications might deliberately
attempt to provide as little semantics of there own for obvious reasons, but
in that case the user should be aware of this, and able to deal with the
representations retrieved in an appropriate manner.

In the case of simple link transversal, if there is information available
that says that the URI in question (URI1) identifies the same resource as
another (URI2) then:

1. There is no need to look at this information if dereferencing URI1 works
in and of itself. Since this involves trusting at least one less principal
than dereferencing URI2 this should be tried first.

2. Use of the triple linking the two URIs is an operation involving
retrieved resources, as such security policies must be applied to the
operation the same as any such operation on the web today. Generally this
will result in our either trusting the link between the two URIs, not
trusting it, or prompting the user as to whether we should trust it. This
operation may be simple, may involve a complicated distributed trust system,
or somewhere in between.

3. Use of the triple should be clear. Semantics should always be reflected
back to the user in a meaningful way, in this case a message similar to that
some browsers will display when moving between HTTP and HTTPS could be
useful.

The two URIs identifying the same resource isn't the issue, the assertion
that they do so is, and the security implications of this must be dealt with
similarly to any other assertions.


[1] Is the phrase "digging dirt" internationally recognised, or am I using a
colloquialism, anyway it means finding out scandalous information about
someone.
Received on Monday, 28 July 2003 13:36:12 UTC