Re: Security Concerns section added to Query_by_reference from Axel Polleres on 2009-04-06 (public-rdf-dawg@w3.org from April to June 2009)

From: Axel Polleres <axel.polleres@deri.org>
Date: Mon, 06 Apr 2009 17:45:07 +0100
To: Steve Harris <steve.harris@garlik.com>
CC: SPARQL Working Group <public-rdf-dawg@w3.org>
Message-ID: <49DA3193.5090106@deri.org>

Let me understand: What is the difference in terms of security issues 
between query-by-reference and queries using REST or SOAP queries?

The same concerns you seem to rise hold there... quite on the contrary, 
it seems that only allowing queries-by-reference from a particular 
namespace would be a security feature rather than a leak.

Thanks for clarifications,
Axel

Steve Harris wrote:
> On 26 Mar 2009, at 09:38, Seaborne, Andy wrote:
>>
>>> -----Original Message-----
>>> From: public-rdf-dawg-request@w3.org [mailto:public-rdf-dawg-
>>> request@w3.org] On Behalf Of Steve Harris
>>> Sent: 25 March 2009 21:30
>>> To: SPARQL Working Group
>>> Subject: Re: Security Concerns section added to Query_by_reference
>>>
>>> On 25 Mar 2009, at 15:30, Seaborne, Andy wrote:
>>>
>>>> A practice-and-experience note.
>>>>
>>>> Queries that use FROM/FROM NAMED also cause servers to load data
>>>> from a remote reference and have the same serious issues.
>>>
>>> There is a difference. The wording of FROM (8.2 Specifying RDF
>>> Datasets) is (deliberately IIRC) quite vague, and it doesn't
>>> explicitly require you to go and dereference a URI. For example we had
>>> a store that uses FROM NAMED to choose the, already loaded, graphs
>>> that will be used to answer the query, and that's legitimate from me
>>> reading of the spec.
>>>
>>> - Steve
>>
>> The same could also be true (at least, I was assuming that it would be 
>> true).  A reference to a query (a reference to a representation of a 
>> query) is no different to a reference to a representation of a graph, 
>> which is what 8.2.1 and 8.2.2 talk about.
>>
>> So just because a query is referenced, it does not mean it must be 
>> read. The query may be available locally to the server.  It might even 
>> already have a query plan.
> 
> Fair point, but I still think there's a difference in expectations, from 
> the feature description and docs at the hosting site. It could be worded 
> differently, but there seemed to be a clear expectation of a live de of 
> the URI from the author.
> 
> - Steve
> 


-- 
Dr. Axel Polleres
Digital Enterprise Research Institute, National University of Ireland, 
Galway
email: axel.polleres@deri.org  url: http://www.polleres.net/

Received on Monday, 6 April 2009 16:45:55 UTC