W3C home > Mailing lists > Public > www-rdf-interest@w3.org > March 2004

Re: Making MGET more GET-friendly?

From: Benja Fallenstein <b.fallenstein@gmx.de>
Date: Wed, 10 Mar 2004 10:32:09 +0200
Message-ID: <404ED289.1030806@gmx.de>
To: Dirk-Willem van Gulik <dirkx@asemantics.com>
Cc: David Powell <djpowell@djpowell.net>, www-rdf-interest@w3.org

Dirk-Willem van Gulik wrote:
>> How about if it was MANDATORY for responses to MGET to have a
> s/MGET/GET/ perhaps ?
>> Content-Location header giving a URL which could be used to retrieve
>> the metadata via GET. 

No, if GET had a Content-Location header it would give the location of 
the *representation*, not the description. However, there could be a 
Metadata-Location header or somesuch. Let's assume this below.

> Now I am _not_ saying that the above is impossible; just that the model
> is more geared towards 1 on 1 relations between data and metadata
> and that it sort of assums very similar access vectors.

I know basically two ways of authenticating a connection to an HTTP 
server: HTTP authentication; and layers "below" HTTP, as in HTTPS, or 
SSH tunnels.

If you have HTTP authentication, before authentication the server 
returns a challenge, which could include the URI of the metadata in its 
headers, so somebody who cannot access the data may be able to access 
the metadata. The other way around, the URI of the metadata can 
obviously have more restrictive access control than the data itself. So 
in this case, I don't see why the Metadata-Location approach would allow 
for less access control.

If you have HTTPS or SSH tunneling, in the MGET case data and metadata 
have the same level of access control, because both use the same type of 
connection to the server.

(Hm, you could configure the server to allow MGET from any host, and GET 
only when the connection goes through some "secured" line. But then, the 
server would return a 403 to a GET from a non-authorized host; this 403 
could include the metadata location; and thus again we could have the 
same access control with Metadata-Location.)

So I don't agree with your argument against this approach, because I 
think it supports the same models for access control that pure MGET 
supports. (Not mentioning of course that David didn't propose to give up 
on MGET, so for clients that can support that it's still available.)

- Benja
Received on Wednesday, 10 March 2004 03:32:44 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:07:50 UTC