- From: Dan Connolly <connolly@w3.org>
- Date: Wed, 8 Nov 2006 14:54:41 -0500
- To: Henry Story <henry.story@bblfish.net>
- Cc: Ed Davies <edavies@nildram.co.uk>, www-tag@w3.org
On Nov 8, 2006, at 12:30 PM, Henry Story wrote: > On 8 Nov 2006, at 14:20, Ed Davies wrote: > >> >> Section 2.2 of The use of Metadata in URIs >> >> http://www.w3.org/2001/tag/doc/metaDataInURI-31-20061107.html >> >> incites the manipulation of URLs to obtain access to resources >> which has not been specifically authorized. In the UK such >> access would be a contravention of the Computer Misuse Act >> 1990. I know it's idiotic, but there's case law to support >> it. Google for Daniel Cuthbert for a relevant case. > > To me, unauthorised resources should be protected by Access control > mechanism, not by the shape of the url. You're not alone... > I suppose case law can be shown to be wrong too. > > >> Questions: >> >> 1. Should this TAG finding note this point? I think we already have... "Deep Linking" in the World Wide Web TAG Finding 11 Sep 2003 http://www.w3.org/2001/tag/doc/deeplinking-20030911 >> 2. Can a TAG finding define or change the meaning of a URL, >> an HTTP access or other protocol element in such a way >> as to change the interpretation of the law in a country? Possibly; it's hard to say how legal institutions will treat TAG findings, but in developing the 2003 finding cited above, I think the TAG's discussion may have had some impact on public policy. >> 3. Should a TAG finding define...? >> >> This is all rather silly but if the TAG can word this document >> in a way that makes it clear that not only is it true that: >> >>> Still, the ability to explore the Web informally and experimentally >>> is very valuable, and Web users act on such guesses about URIs all >>> the time. >> >> but also that it is an implicit part of running a web server >> to accept that such experimentation is legitimate then they'd >> be doing all of us a favour. There's a grey line between experimentation and abuse, as noted in the deep linking finding... "Unethical parties could, of course, attempt to circumvent such policies, for example by programming software to transmit false values in various request fields, or by stealing passwords, or any number of other nefarious practices. Such a situation has clearly passed from the domain of technology to that of policy. Public policy may need to be developed as to the seriousness of such attempts to subvert the system, the nature of proof required to establish a transgression, the appropriate penalties for transgressors, and so on." -- Dan Connolly, W3C http://www.w3.org/People/Connolly/
Received on Wednesday, 8 November 2006 19:55:06 UTC