- From: Wilde, Erik <Erik.Wilde@emc.com>
- Date: Wed, 13 Mar 2013 16:42:20 -0400
- To: Linked Data Platform Working Group <public-ldp-wg@w3.org>
- CC: John Arwe <johnarwe@us.ibm.com>, Yves Lafon <ylafon@w3.org>
On 2013-03-13 8:15 , "Yves Lafon" <ylafon@w3.org> wrote: >To assess equivalence, as a client, you need to know that the owner of >both resources is the same (or that both owners have an agreement and can >be equally trusted), and that it declares that both resources are >equivalent. >For the resource equivalence part, you can see the metalink ref I >provided >earlier. For the trust part... representing equivalence can be done through existing mechanisms such as HTTP headers or the "canonical" link relation. but as yves pointed out, the real problem is not the representation, but the assumptions that our protocol makes (or lets client make). it is fairly risky to allow independent parties to make equivalence statements about resources they don't control. at least there's a risk of things getting out of sync (which is not such a problem), but in general, this is basically setting up mechanisms that allow "identity theft", in particular if we allow these statements to go across authority boundaries. in any scenario with any security issues, this may become a serious opportunity for attacks. cheers, dret.
Received on Wednesday, 13 March 2013 20:43:10 UTC