Re: WebID-ISSUE-64 (redirects): Redirects [WebID Spec] from Sebastian Tramp on 2012-10-08 (public-xg-webid@w3.org from October 2012)

From: Sebastian Tramp <tramp@informatik.uni-leipzig.de>
Date: Mon, 8 Oct 2012 23:27:27 +0200
To: Baptiste Lafontaine <baptiste33@gmail.com>
Cc: Henry Story <henry.story@bblfish.net>, WebID Incubator Group WG <public-xg-webid@w3.org>
Message-ID: <20121008212727.GA52952@soljaris14.fritz.box>

On Mon, Oct 08, 2012 at 10:07:01PM +0200, Baptiste Lafontaine wrote:
> >> I've read all this old topic but I face this issue while doing my node.js
> >> implementation.
> >>
> >> The current spec [1] says: "Add explanation for URI with redirect."
> >>
> >> Should I follow all redirects ? What kinds of redirects makes the URL of
> >> the query changed into the SparQL query ?
> >>
> >> Please note that this is not a theoretical question and  I would prefer
> >> a pragmatic answer.
> >>
> >> [1]
> >> : http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-20111212/#verifying-the-webids
> >
> > I would say one should follow redirects of course. The question is what are
> > the issues that may arise there. If an https url redirects to an http url
> > then you must reduce the trust you have to trust towards that http
> > resource, since that could have been man-in-the -middled.
> >
> > Otherwise I would follow as many redirects as seems cost effective. People
> > who have too many redirects on their WebID should not be surprised if they
> > have difficulty logging in. On the other hand servers that don't follow
> > redirects at all will loose friends.
> >
> > What text do you think we should put there?
> >
> 
> I would have say that the specification should be a little bit more formal on
> this point by telling how many redirections should/must be tested. This way
> WebID implementations may have more consistency and prevent users from having
> WebIDs that work on some implementation and does not on others.  In my
> opinion it's the same for the number of URIs from the certificate's SAN.

I agree in this. We could request for at least two redirects, e.g. a webid
redirects to a profile hoster which redirects to the specific representation.

> Another problem that I face : let say that bob has this into his
> certificate SAN :
> URI:https://bob.example/profile#me
> 
> When reaching this URL, the VerificationAgent got a 301 (or 302) to
> https://bob.somethingelse/profile#me.
> 
> When using the SPARQL query defined in 3.2.4.2, should the
> VerificationAgent test against https://bob.example/profile#me or
> https://bob.somethingelse/profile#me ?

Clearly https://bob.example/profile#me - the redirection will lead you from the
non-information resource to a information resource which describes the
requested one. Nethertheless, you will sometimes find triples with the
information resources as the subject (e.g.  last modified timestamps of the
foaf profile document).

Best regards

Sebastian Tramp

-- 
WebID: http://sebastian.tramp.name

Received on Monday, 8 October 2012 21:27:57 UTC