Comments on SPARQL protocol document from Graham Klyne on 2005-09-16 (public-rdf-dawg-comments@w3.org from September 2005)

From: Graham Klyne <GK@ninebynine.org>
Date: Fri, 16 Sep 2005 10:09:10 +0100
To: public-rdf-dawg-comments@w3.org
Message-ID: <432A8BB6.1050507@ninebynine.org>

With reference to:
http://www.w3.org/TR/2005/WD-rdf-sparql-protocol-20050914/

I have not close-read this.  On a quick skim, two thoughts come to mind:

...

(1) the SPARQL query language makes reference to the possibility of
generating warnings under certain circumstances; cf.
http://www.w3.org/TR/2005/WD-rdf-sparql-query-20050721/#construct

In light of this, it might be appropriate for there to be some way to
return any warnings along with the query results.

...

(2) Security considerations

I feel this is drafted too prescriptively.  The matters raised are
appropriate and valuable to mention, but I feel the normatively stated
recommendations are not the only reasonable solutions.

Concerning anonymizing services, there may well be reasons for not
providing client information.  E.g., I have recently been told that
there is a principle in library systems that a reader should be able to
access any publicly available information anonymously.  Making the
logging of client identification a normative requirement seems to be in
violation of this principle.  Other remedies to the DoS potential are
noted in the spec.

Concerning privacy, the normative "must take care that facts disclosed
in or implied by query results do not violate applicable privacy ..."
also seems to be over-prescriptive.  Again, I think that mention of this
issue is appropriate, but I also think that the appropriate response to
this is really a matter for the application, not the protocol
specification.  I think it would be more helpful to suggest possible
technical remedies.

In particular, I think it would be helpful to suggest ways in which
authenticating information can accompany a query, so that the
information service that is being queried can decide whether or not it
is appropriate to release the requested information.  Also, suggest
mechanisms for maintaining privacy of the query results.  I imagine such
suggestions might simply be references to appropriate security protocol
specifications, but I also note that security mechanisms at several
levels might be applied (e.g. TLS/https, SOAP-level security
mechanisms, MIME object security mechanisms, XML-level security
mechanisms, etc.).  Does the working group have any view concerning what
mechanisms are most appropriate for a general-use SPARQL query protocol
implementation?

Also on the subject of security considerations, I think it would be 
worth mentioning the problems of spoofed server responses, and 
suggesting use of mechanisms that allow the client to authenticate the 
SPARQL query server and/or results.  It also occurs to me that the query 
processor may need to be able to relay authenticating information from a 
back-end or 3rd-party information source.

...

Also, I note that the reference for RDF-Concepts contains a URI for the
RDF-primer ("This version").

#g

-- 
Graham Klyne
For email:
http://www.ninebynine.org/#Contact

Received on Friday, 16 September 2005 09:13:35 UTC