W3C home > Mailing lists > Public > public-lod@w3.org > May 2010

Re: HTTPS URI:s

From: Nathan <nathan@webr3.org>
Date: Tue, 18 May 2010 11:40:48 +0100
Message-ID: <4BF26EB0.2090109@webr3.org>
To: Niklas Lindström <lindstream@gmail.com>
CC: Linked Data community <public-lod@w3.org>
Niklas Lindström wrote:
> Hi all!
> 
> Does there exist any advice regarding whether HTTPS URI:s constitute
> good identifiers (canonical URI:s)? Or is the HTTPS protocol an
> implementation detail better led to via redirection, HTTP Upgrade or
> similar?
> 
> And would it be fair to claim that non-HTTPS URI:s are "potentially
> harmful" due to the risk of man-in-the-middle attacks? Or is (e.g.)
> HTTPS not enough by itself (since trusting a certificate is still up
> to the carefulness of clients), so it would be moot to promote it by
> itself in Linked Data scenarios? I suppose that using HTTPS for each
> URI leads to higher demands on the publisher, but I'd prefer more
> solid arguments for/against recommending it..

Good questions :)

I'd also add:

1: HTTPS URIs for webid's are still open to man in the middle attacks 
via dns re-routing because the webid doesn't contain a fingerprint of 
the public key - DNSSEC should address this (others have pointed me to 
this, I'm not so clever as to have realised myself!)

2: What does it mean to GET from an http scheme URI, but PUT/DELETE from 
an https scheme URI - this appears to be a grey area (?) where:
   http://example.org/resource
   https://example.org/resource
could be (and are) the same resource but have different identifiers, 
hence the above question (especially if protected by web access control).

Best,

Nathan
Received on Tuesday, 18 May 2010 10:41:39 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:29:48 UTC