Re: Security Concerns section added to Query_by_reference

Let me understand: What is the difference in terms of security issues 
between query-by-reference and queries using REST or SOAP queries?

The same concerns you seem to rise hold there... quite on the contrary, 
it seems that only allowing queries-by-reference from a particular 
namespace would be a security feature rather than a leak.

Thanks for clarifications,

Steve Harris wrote:
> On 26 Mar 2009, at 09:38, Seaborne, Andy wrote:
>>> -----Original Message-----
>>> From: [mailto:public-rdf-dawg-
>>>] On Behalf Of Steve Harris
>>> Sent: 25 March 2009 21:30
>>> To: SPARQL Working Group
>>> Subject: Re: Security Concerns section added to Query_by_reference
>>> On 25 Mar 2009, at 15:30, Seaborne, Andy wrote:
>>>> A practice-and-experience note.
>>>> Queries that use FROM/FROM NAMED also cause servers to load data
>>>> from a remote reference and have the same serious issues.
>>> There is a difference. The wording of FROM (8.2 Specifying RDF
>>> Datasets) is (deliberately IIRC) quite vague, and it doesn't
>>> explicitly require you to go and dereference a URI. For example we had
>>> a store that uses FROM NAMED to choose the, already loaded, graphs
>>> that will be used to answer the query, and that's legitimate from me
>>> reading of the spec.
>>> - Steve
>> The same could also be true (at least, I was assuming that it would be 
>> true).  A reference to a query (a reference to a representation of a 
>> query) is no different to a reference to a representation of a graph, 
>> which is what 8.2.1 and 8.2.2 talk about.
>> So just because a query is referenced, it does not mean it must be 
>> read. The query may be available locally to the server.  It might even 
>> already have a query plan.
> Fair point, but I still think there's a difference in expectations, from 
> the feature description and docs at the hosting site. It could be worded 
> differently, but there seemed to be a clear expectation of a live de of 
> the URI from the author.
> - Steve

Dr. Axel Polleres
Digital Enterprise Research Institute, National University of Ireland, 
email:  url:

Received on Monday, 6 April 2009 16:45:55 UTC