- From: Aredridel <aredridel@nbtsc.org>
- Date: 28 Jul 2003 19:21:26 -0600
- To: www-rdf-interest@w3.org
> For security reasons software dealing with this stuff should generally > assume that most people are malicious and the rest are idiots as far as > possible. To accept the identification of uri1 and http://www.w3.org/ I'm > going to want either to be told this by somebody I trust, or at the very > least be told this by both uri1Owner and the W3C (I would take the W3Cs word > for it that what I can retrieve from uri1 is a valid representation of > http://www.w3.org/, but not the inverse). Even in this case I would retry > the URI I was given after the information on the identification of the same > resource by the two URIs became stale. Existing mechanisms should be enough > to prevent a security issue. Now, a potentially "real life" example: http[s]://www.w3.org/ has metadata that states https://www.w3.org/key is a signature key for "Authoritative" information http://www.example.org/~foo/bla is/has metadata that states that http://www.w3.org/ and http://www.example.org/1234 are the same resource, and equivalent representations, and the statement is signed with the key https://www.w3.org/key, then your browser may have enough information (assuming that https://www.w3.org had a valid and trustable certificate) to direct (according to http://www.example.org/~foo/bla's instructions, authorised by https://www.w3.org/key) your browser to http://www.example.org/1234 should the situation merit (perhaps it is a more local mirror). For that to happen, RDF needs a schema for signatures of statements (detached signatures as meta-statements, perhaps?), and a schema item for equivalent representations of a resource -- owl:isSameIndividual or whatnot, or perhaps a more specific, web-oriented namespace set -- a hypothetical w3:isSameRepresentationAs, (perhaps also w3:isMirrorOf and w3:ipTopologyLocation) or something equivalent. Ari
Received on Tuesday, 29 July 2003 01:02:29 UTC