AW: W3C position on URIs http:// vs. https:// from Hubauer, Thomas on 2023-06-13 (semantic-web@w3.org from June 2023)

From: Hubauer, Thomas <thomas.hubauer@siemens.com>
Date: Tue, 13 Jun 2023 16:58:47 +0000
To: Melvin Carvalho <melvincarvalho@gmail.com>
CC: "semantic-web@w3.org" <semantic-web@w3.org>
Message-ID: <AS2PR10MB72738DE07785A2A25FAB57B28155A@AS2PR10MB7273.EURPRD10.PROD.OUTLOOK.COM>

Hi Melvin,

thanks a lot for your response and the reference – such documents are exactly what I am looking for.
I would phrase the takeaway a bit differently, however: my takeaway is “yes, please do make it secure, but do so while keeping http, and don’t break the web”. As a security layman, I see a lot of value in this – however it’s totally out of what I or the project can control. TBL seems to recommend “TLS everywhere” – so, if I want to follow his advice in the *current* situation, how can I do this without using https URIs for my own models (where I do have control)?

Continuing this thought: I always considered it a good practice that ontology URI and the URIs of the elements defined in the ontology are “related” – more specifically I tend to have all element URIs start with the ontology URI. As I would like to avoid breaking changes deep inside systems already using the ontologies, we were discussing to use https for the ontology URIs (so that a tool such as Protégé could automatically load them), but keep http for the URIs of classes, relations, etc. Would also appreciate thoughts on this.

On a lighter note: Even though there’s no documented case in history of a person being killed by a sword hung above their head on a horse hair, I would still not like to take Damocles’ place at the dinner table 😉

Von: Melvin Carvalho <melvincarvalho@gmail.com>
Datum: Dienstag, 13. Juni 2023 um 17:47
An: Hubauer, Thomas (T DAI SMR-DE) <thomas.hubauer@siemens.com>
Cc: semantic-web@w3.org <semantic-web@w3.org>
Betreff: Re: W3C position on URIs http:// vs. https://


út 13. 6. 2023 v 17:37 odesílatel Hubauer, Thomas <thomas.hubauer@siemens.com<mailto:thomas.hubauer@siemens.com>> napsal:
Hi SemWeb community,

One of my projects is considering making some of our ontologies accessible to customers. As part of these considerations, we have been discussing resolving ontology references (e.g. for imports) which lead us to some lengthy arguments about http:// vs. https:// as protocol part in our URIs (primarily ontology URIs, potentially element URIs as well).

I am aware of a 2016 post (https://www.w3.org/blog/2016/05/https-and-the-semantic-weblinked-data/) stating that W3C currently considers http and https to be “equivalent” for w3c.org<http://w3c.org/>. However, the security guys I am working with are not too happy with this as using a http URI for downloading imported ontologies is vulnerable to a man-in-the-middle attack.

I was unable to find any more recent statement by the W3C on the use of http vs. https. Specifically, I’d be interested to understand if this community (and the W3C) intend to stick with http for the foreseeable future, of if there’s any plans to migrate some/all URIs (e.g. ontology URIs but not element URIs) to https ? Would be nice for us to understand what “the outer world” plans so we can maybe take this as a blueprint for our own guidance on URIs.

I'm with TimBL on this:

"HTTPS Everywhere" considered harmful

https://www.w3.org/DesignIssues/Security-NotTheS.html


The Semantic Web has been around for a couple of decades.  Is there any documented instance of an MITM attack on an ontology ever causing an issue?


Best regards,
Thomas

Received on Tuesday, 13 June 2023 16:58:55 UTC