Re: Comments on "Good Practices for Capability URLs" FPWD from Jonathan A Rees on 2014-06-08 (www-tag@w3.org from June 2014)

From: Jonathan A Rees <rees@mumble.net>
Date: Sat, 7 Jun 2014 22:22:55 -0400
To: Noah Mendelsohn <nrm@arcanedomain.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <CAGnGFMJ1UL=o2bsfdArcuEJG9oQVi84WarbJGqPW12D-n8gT0Q@mail.gmail.com>

On Sat, Jun 7, 2014 at 12:56 AM, Noah Mendelsohn <nrm@arcanedomain.com>
wrote:

> These are comments on "Good Practices for Capability URLs
> W3C First Public Working Draft 18 February 2014" [1].
>
> First of all, I am delighted that the TAG has decided to return to this
> issue. Before giving more detailed comments and notes, I should state my
> own general opinion, which was expressed repeatedly in earlier TAG
> discussions: although there are cases where it is reasonable to gamble on
> having URLs be kept secret, the Web is not in general designed to preserve
> such URL secrecy. That being the case, I think it's a mistake to encourage
> use of capability URLs. I worry that we will go down a slippery slope of
> requiring that user agents, proxies, logging software, etc. be required to
> maintain the confidentiality of URLs in cases where the current normative
> specifications do not require such confidentiality.
>
> I believe this opinion is consistent with the draft Recommendations, but I
> restate it here because it was very controversial when I made this case in
> earlier TAG discussions (see below).
>
> Here are some more detailed comments and notes. I hope these may be useful
> as you edit the draft:
>
> * Perhaps you are already aware, but we had an ACTION-278 [1] opened in
> 2009 substantially devoted to this topic. There was a lot of discussion and
> a lot of controversy.

As I remember the main questions in 2009-10 were (a) whether there were
*any* circumstances in which it was OK to put a secret in a URI, e.g. as a
CSRF defense; the practice is discouraged in the 'Metadatas in URIs'
finding. This discussion ended in a stalemate with opposing sides finding
no way to move the discussion forward. and (b) whether to recommend that
private resources be protected by given them unguessable URIs as a CRSF
defense. This would depend on (a) ...  again, it was a stalemate.

It is worthwhile to review Tyler Close's contributions to that discussion.
http://lists.w3.org/Archives/Public/www-tag/2010Feb/author.html
http://lists.w3.org/Archives/Public/www-tag/2010Jan/author.html

I don't think there's any point in discussing or even raising the question
of whether it's 'OK' to create unguessable URIs. The ship has sailed.
People are just doing it. New uses come on line every day. Everyone sees
they are less cumbersome than account registration and passwords. More and
more people understand that they are a good additional line of defense.
They're a fact of the Web. Saying 'don't do it' will have absolutely no
effect. Saying what the risks are and what needs to hold for it to be safe
might be of some use.

Received on Sunday, 8 June 2014 02:23:24 UTC