- From: Graham Klyne <GK@ninebynine.org>
- Date: Fri, 16 Sep 2005 10:09:10 +0100
- To: public-rdf-dawg-comments@w3.org
With reference to: http://www.w3.org/TR/2005/WD-rdf-sparql-protocol-20050914/ I have not close-read this. On a quick skim, two thoughts come to mind: ... (1) the SPARQL query language makes reference to the possibility of generating warnings under certain circumstances; cf. http://www.w3.org/TR/2005/WD-rdf-sparql-query-20050721/#construct In light of this, it might be appropriate for there to be some way to return any warnings along with the query results. ... (2) Security considerations I feel this is drafted too prescriptively. The matters raised are appropriate and valuable to mention, but I feel the normatively stated recommendations are not the only reasonable solutions. Concerning anonymizing services, there may well be reasons for not providing client information. E.g., I have recently been told that there is a principle in library systems that a reader should be able to access any publicly available information anonymously. Making the logging of client identification a normative requirement seems to be in violation of this principle. Other remedies to the DoS potential are noted in the spec. Concerning privacy, the normative "must take care that facts disclosed in or implied by query results do not violate applicable privacy ..." also seems to be over-prescriptive. Again, I think that mention of this issue is appropriate, but I also think that the appropriate response to this is really a matter for the application, not the protocol specification. I think it would be more helpful to suggest possible technical remedies. In particular, I think it would be helpful to suggest ways in which authenticating information can accompany a query, so that the information service that is being queried can decide whether or not it is appropriate to release the requested information. Also, suggest mechanisms for maintaining privacy of the query results. I imagine such suggestions might simply be references to appropriate security protocol specifications, but I also note that security mechanisms at several levels might be applied (e.g. TLS/https, SOAP-level security mechanisms, MIME object security mechanisms, XML-level security mechanisms, etc.). Does the working group have any view concerning what mechanisms are most appropriate for a general-use SPARQL query protocol implementation? Also on the subject of security considerations, I think it would be worth mentioning the problems of spoofed server responses, and suggesting use of mechanisms that allow the client to authenticate the SPARQL query server and/or results. It also occurs to me that the query processor may need to be able to relay authenticating information from a back-end or 3rd-party information source. ... Also, I note that the reference for RDF-Concepts contains a URI for the RDF-primer ("This version"). #g -- Graham Klyne For email: http://www.ninebynine.org/#Contact
Received on Friday, 16 September 2005 09:13:35 UTC