Re: The use of https: IRIs on the semantic web

Hi Ruben,

While I broadly agree with the points you make, I think there's a tension here.

For developing "low-end" applications (e.g. a script that a researcher might 
knock up in an hour, or a small local or experimental application server), 
dealing with HTTPS can add a (small but) significant effort that gets in the 
way.  It varies depending on the tools used, of course.

When all supporting tools universally deal with HTTPS as seamlessly as HTTP, and 
for resources that are intended to be widely deployed, I think the advice holds. 
  But right now I still see a role for plain old HTTP for small-scale localized use.

And there *will* be significant numbers of HTTP URIs out there (in common 
vocabularies) for the foreseeable future, so they won't be going away (IMO).  I 
suspect a nuanced approach will be required.

(As I think about drafting this response, I am sensing the discussion may be 
more complex.  There are debates elsewhere about multiple URI schemes for the 
same resource - in some cases, the differences seem to be justified as the 
notion of "sameness" of resources isn't always clear cut.  E.g. https may be 
associated with a notion of trustworthiness not associated with mere http, even 
when the underlying representations are the same, which may affect the 
operations one is prepared to sanction based on the resource representations 
retrieved.  I don't have time to fully explore this here, but hope it gives a 
sense of what I might mean by a nuanced approach.)

#g
--


On 08/07/2017 02:37, Ruben Verborgh wrote:
> Hi Richard,
>
>> I am defining a new vocabulary.  It's not an extension of an existing vocabulary, nor will it use the same domain as any existing vocabulary.  Should I use https: IRIs?
>
> I'm recommending anyone publishing a new Linked Data dataset nowadays to do this on HTTPS,
> and we are doing this ourselves as well. Minting a new http:// URL space is just not meaningful anymore.
>
> The reasons for this are:
> 1) There's a tremendous push from different organizations toward HTTPS.
>      At the moment, browsers HTTPS label as "secure", but in the future,
>      but we can expect them to instead label HTTP as "insecure" [1].
> 2) There's no standardized correspondence
>       between an HTTP URL and its HTTPS equivalent.
> 3) Changing URLs afterwards is a no-go for several reasons.
>
>> Every source I've consulted says I should prefer http: IRIs. This includes the Linked Data book [1], the W3 note on "Cool URIs" [2], and the W3 note on best practices for RDF vocabularies.
>
> I couldn't find the passage in the Linked Data book.
> I guess Section 4.4.1 could be interpreted as such;
> however, it does not talk about https:// explicitly.
>
> The W3C notes similarly do not talk about HTTPS.
>
> Best,
>
> Ruben
>
> [1] https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
>

Received on Sunday, 9 July 2017 07:38:09 UTC