W3C home > Mailing lists > Public > public-lod@w3.org > May 2010


From: Nathan <nathan@webr3.org>
Date: Tue, 18 May 2010 11:40:48 +0100
Message-ID: <4BF26EB0.2090109@webr3.org>
To: Niklas Lindström <lindstream@gmail.com>
CC: Linked Data community <public-lod@w3.org>
Niklas Lindström wrote:
> Hi all!
> Does there exist any advice regarding whether HTTPS URI:s constitute
> good identifiers (canonical URI:s)? Or is the HTTPS protocol an
> implementation detail better led to via redirection, HTTP Upgrade or
> similar?
> And would it be fair to claim that non-HTTPS URI:s are "potentially
> harmful" due to the risk of man-in-the-middle attacks? Or is (e.g.)
> HTTPS not enough by itself (since trusting a certificate is still up
> to the carefulness of clients), so it would be moot to promote it by
> itself in Linked Data scenarios? I suppose that using HTTPS for each
> URI leads to higher demands on the publisher, but I'd prefer more
> solid arguments for/against recommending it..

Good questions :)

I'd also add:

1: HTTPS URIs for webid's are still open to man in the middle attacks 
via dns re-routing because the webid doesn't contain a fingerprint of 
the public key - DNSSEC should address this (others have pointed me to 
this, I'm not so clever as to have realised myself!)

2: What does it mean to GET from an http scheme URI, but PUT/DELETE from 
an https scheme URI - this appears to be a grey area (?) where:
could be (and are) the same resource but have different identifiers, 
hence the above question (especially if protected by web access control).


Received on Tuesday, 18 May 2010 10:41:39 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:29:48 UTC