Niklas Lindström wrote:
> Hi all!
> Does there exist any advice regarding whether HTTPS URI:s constitute
> good identifiers (canonical URI:s)? Or is the HTTPS protocol an
> implementation detail better led to via redirection, HTTP Upgrade or
> similar?
> And would it be fair to claim that non-HTTPS URI:s are "potentially
> harmful" due to the risk of man-in-the-middle attacks? Or is (e.g.)
> HTTPS not enough by itself (since trusting a certificate is still up
> to the carefulness of clients), so it would be moot to promote it by
> itself in Linked Data scenarios? I suppose that using HTTPS for each
> URI leads to higher demands on the publisher, but I'd prefer more
> solid arguments for/against recommending it..

Good questions :)

I'd also add:

1: HTTPS URIs for webid's are still open to man in the middle attacks 
via dns re-routing because the webid doesn't contain a fingerprint of 
the public key - DNSSEC should address this (others have pointed me to 
this, I'm not so clever as to have realised myself!)

2: What does it mean to GET from an http scheme URI, but PUT/DELETE from 
an https scheme URI - this appears to be a grey area (?) where:
could be (and are) the same resource but have different identifiers, 
hence the above question (especially if protected by web access control).



Received on Tuesday, 18 May 2010 10:41:39 UTC