AW: AW: W3C position on URIs http:// vs. https:// from Hubauer, Thomas on 2023-06-19 (semantic-web@w3.org from June 2023)

From: Hubauer, Thomas <thomas.hubauer@siemens.com>
Date: Mon, 19 Jun 2023 11:27:28 +0000
To: Chaals Nevile <chaals@fastmail.fm>, Pierre-Antoine Champin <pierre-antoine@w3.org>, "semantic-web@w3.org" <semantic-web@w3.org>
Message-ID: <AS2PR10MB72735935714D8091FDD0AFB4815FA@AS2PR10MB7273.EURPRD10.PROD.OUTLOOK.COM>

Hi Chaals,

we would not really be able to track everyone who downloaded the ontologies from our internal platform, but we do have some channels that allow is to reach the majority of users, I think. I was wondering if we do the chance with a new version, so that anyone wanting to upgrade his imports/ ontologies used for RDF creation would have to update whereas “legacy” remains unchanged…

Von: Chaals Nevile <chaals@fastmail.fm>
Datum: Montag, 19. Juni 2023 um 12:45
An: Hubauer, Thomas (T DAI SMR-DE) <thomas.hubauer@siemens.com>, Pierre-Antoine Champin <pierre-antoine@w3.org>, semantic-web@w3.org <semantic-web@w3.org>
Betreff: Re: AW: W3C position on URIs http:// vs. https://
If you have internal usage, does that mean that you know who has been using it?

If so, it makes sense IMHO to treat that as a bounded and finite problem worth solving, rather than to claim it's already too hard and release the issue "into the wild" assuring that if you have any successful it becomes impossible to know the bounds or scope of the problem any more.

Otherwise, I concur with the advice that you use "https:" not "http:"

(And that you either direct your ire at the browser developers who couldn't figure out that the string doesn't matter: they have a proper UI to show the difference between secured and unsecured content (as they committed to doing over 15 years ago in the context of enhanced security for certificates), and there's no technical reason why a URI beginning https: couldn't have served plaintext content.

Or even better, you just resign yourself to the fact that development doesn't imply monotonic improvement to the world, and let your ire dissipate into the ether by using it as motivation to get the changes you need implemented faster).

cheers

Chaals

On Monday, June 19, 2023 12:32:53 (+02:00), Hubauer, Thomas wrote:
Hi Pierre-Antione,

for “greenfield” (not yet published ontologies) I would agree. However we have been using these ontologies internally for a few years now, so while it’s about initial *external* publication we sadly still have some existing users (importing ontologies, RDF graphs, …) of these ontologies internally…

Thomas

Von: Pierre-Antoine Champin <pierre-antoine@w3.org>
Datum: Mittwoch, 14. Juni 2023 um 15:21
An: Hubauer, Thomas (T DAI SMR-DE) <thomas.hubauer@siemens.com>, semantic-web@w3.org <semantic-web@w3.org>
Betreff: Re: W3C position on URIs http:// vs. https://

Coming back to Thomas' original question:
On 13/06/2023 17:31, Hubauer, Thomas wrote:
Hi SemWeb community,

One of my projects is considering making some of our ontologies accessible to customers.

My response would be: publish your ontology on HTTPS only, and use only https:// IRIs to identify every part of the ontology.

IMO, this does not contradict the spirit of Tim's post, cited by Melvin [1], in which the main issue raised is about breaking existing links (by deprecating existing http:// links in favour of new https:// ones).

If your ontology has not been published before, there is no existing links to break, so you are better off with HTTPS (and HTTPS only, to avoid creating more confusion with pseudo-synonymic IRIs).

[1] https://www.w3.org/DesignIssues/Security-NotTheS.html
As part of these considerations, we have been discussing resolving ontology references (e.g. for imports) which lead us to some lengthy arguments about http:// vs. https:// as protocol part in our URIs (primarily ontology URIs, potentially element URIs as well).

I am aware of a 2016 post (https://www.w3.org/blog/2016/05/https-and-the-semantic-weblinked-data/) stating that W3C currently considers http and https to be “equivalent” for w3c.org. However, the security guys I am working with are not too happy with this as using a http URI for downloading imported ontologies is vulnerable to a man-in-the-middle attack.

I was unable to find any more recent statement by the W3C on the use of http vs. https. Specifically, I’d be interested to understand if this community (and the W3C) intend to stick with http for the foreseeable future, of if there’s any plans to migrate some/all URIs (e.g. ontology URIs but not element URIs) to https ? Would be nice for us to understand what “the outer world” plans so we can maybe take this as a blueprint for our own guidance on URIs.

Best regards,
Thomas

--
Chaals Nevile
Using Fastmail - it's worth it

Received on Monday, 19 June 2023 11:27:37 UTC