- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Wed, 22 May 2013 22:13:50 -0400
- To: Melvin Carvalho <melvincarvalho@gmail.com>, Linked JSON <public-linked-json@w3.org>
- CC: Markus Lanthaler <markus.lanthaler@gmx.net>, Dan Brickley <danbri@danbri.org>
bcc: RDF WG On 05/22/2013 05:35 PM, Melvin Carvalho wrote: >> 2. We'd also like to start a conversation about allowing the >> simpler, shorter form by defaulting to http:// if not present. > > We could certainly do that but that would mean that we would lose > the ability to use relative URLs to reference contexts which I think > is very handy for a large number of use cases. > > It may be slightly better to standardize in https, rather than http, > since schema.org <http://schema.org> is used for ecommerce too. I > dont think there's currently any known attack vector based on MITM > of a vocab, but one may emerge in future. There absolutely is a known MITM attack vector when using a vocab served over HTTP for commerce. :) If schema.org defines the concept of a 'source' and 'destination' for a financial transaction an attacker could poison a downstream DNS such that the retrieved vocab document switches source and destination, thus giving attackers the ability to suck funds out of your financial accounts. This is one of the reasons that the PaySwarm vocabs are served from https://w3id.org/ and the reason that we serve those vocabs using the HTTP Strict Transport Security (HSTS) HTTP headers. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
Received on Thursday, 23 May 2013 02:14:22 UTC