W3C home > Mailing lists > Public > public-webid@w3.org > April 2013

Re: Archaic HTTP "From:" Header

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Thu, 4 Apr 2013 15:53:37 +0200
Message-ID: <CAKaEYhKK1ZLQViCrMNgmKcY0JSVq0B1_8b7pQHCBmb4c2dP3vg@mail.gmail.com>
To: Kingsley Idehen <kidehen@openlinksw.com>
Cc: public-webid <public-webid@w3.org>
On 4 April 2013 15:45, Kingsley Idehen <kidehen@openlinksw.com> wrote:

>  On 4/4/13 6:11 AM, Melvin Carvalho wrote:
>
>
>
>
> On 4 April 2013 03:32, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>
>>  On 4/3/13 7:01 PM, Mark Nottingham wrote:
>>
>>> On 04/04/2013, at 4:18 AM, Kingsley Idehen <kidehen@openlinksw.com>
>>> wrote:
>>>
>>>  All,
>>>>
>>>> I think the HTTP "From:" header [1] is now truly archaic circa. 2013.
>>>> If the range of this particular predicate was a URI it would really aid our
>>>> quest for a RWW.
>>>>
>>> It's in active use by spiders and robots.
>>>
>>>  Suggestion:
>>>>
>>>> As part of our RWW bootstrap effort, we could consider an "X-From:"
>>>> header that basically takes a URI or Literal value.
>>>>
>>>> I think we can flesh this out across WebID and RWW via implementations
>>>> before moving up to TAG and IETF.
>>>>
>>>> Mark: what do you think, anyway ? :-)
>>>>
>>> If you want something that takes a link, we have a Link header.
>>>
>>> Whatever you do, don't prefix it with X-.
>>>
>>> Cheers,
>>>
>>>
>>> --
>>> Mark Nottingham   http://www.mnot.net/
>>>
>>>
>>>
>>>
>>>
>>>
>>  Okay re. not taking the X- route.
>>
>> With regards to "From:" I am saying it should accept literals or URIs
>> instead of just literals. Net effect, I can then use:
>> kidehen@openlinksw.com or <mailto:kidehen@openlinksw.com> or <
>> http://kingsley.idehen.net/dataspace/person/kidehen#this> .
>>
>> "Link:" is also a good idea, I'll maul this over as it could also work
>> from the desired bootstrap perspective.
>
>
> +1
>
>  In fact we could call this "WebID Simple" perhaps?
>
>
> The name should reflect use. Here we want to place a WebID in the "From:"
> header in an HTTP request. We then seek to have a server verify the WebID
> in "From:" using:
>

Whether the server wants to verify or not is up to the server.


>
> 1. a simple profile lookup -- no TLS
>

Yes, This is the power of the follow your nose pattern.


> 2. a more secure lookup -- using TLS i.e., WebID+TLS (this would mean
> using HTTP redirection to an HTTPS URL that forces the client to present a
> Certificate with a WebID watermark).
>

Yes

There are many more options for auth e.g. cookies, unguessable strings, one
time tokens, security by obscurity.  These can be part of

A) the headers
B) the URL
C) a cookie
D) the protocol handshake (eg wss)
E) the profile page (e.g. you put a token in your page as auth)

All of these are well established methods for auth.  The game starts with
identification.


>
> Kingsley
>
>
>
>>
>>
>> --
>>
>> Regards,
>>
>> Kingsley Idehen
>> Founder & CEO
>> OpenLink Software
>> Company Web: http://www.openlinksw.com
>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca handle: @kidehen
>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>
>>
>>
>>
>>
>>
>
>
> --
>
> Regards,
>
> Kingsley Idehen	
> Founder & CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>
>
>
>
Received on Thursday, 4 April 2013 13:54:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:43 UTC