RE: "The use of Metadata in URIs" and UK law

> From: Pat Hayes
> 
> >Henry Story wrote:
> >>To me, unauthorised resources should be protected by Access control
> >>mechanism, not by the shape of the url.
> >
> >To me too, but apparently not to the lawyers in this case.
> >
> >The key question is, in my view, what the meaning of a GET request
> >is.  Is it "give me a representation of this resource which I assert
> >I am authorized to access" or is it "please give me a representation
> >of this resource if you think that the user name, password, referer,
> >or whatever, of this request entitles me to it"?
> 
> I suggest that it is not, and cannot possibly be, either of these. Or 
> indeed any other English paraphrase of some communication act between 
> human beings. GET is not a conversation, it is a mechanical transfer 
> protocol. We can of course speak metaphorically using this language, 
> just as we speak of machine "instructions" and software "agents" and 
> so on: our technical vocabulary is riddled with these suggestive 
> usages. But sometimes it is vitally important to remind ourselves 
> that these really are only suggestive metaphors. Computer hardware 
> does not obey as humans obey orders; software does not act as humans 
> act; and GET does not request, assert, claim or suggest in any human 
> senses of these words. It simply initiates a process which results in 
> bytes being transferred from one place to another on a network.

That seems almost as extreme as claiming that people don't give orders,
they merely use their vocal chords to vibrate air molecules.  There is
an intent behind those vibrating air molecules, just as their is an
intent behind a GET request, however I admit that discerning the intent
of a specific act may not be easy.

But regarding the GET request in general, it seems to me that the HTTP
protocol specification makes very clear that a GET request is just that
-- a request -- and it is up to the web server to decide whether to
grant the request (200 OK) or deny it (401 Unauthorized, 403 Forbidden,
405 Method not Allowed, 406 Not Acceptable, etc.).  That's what those
response codes are for.

David Booth

Received on Monday, 13 November 2006 18:19:49 UTC