Re: W3C position on URIs http:// vs. https:// from Jürgen Jakobitsch on 2023-06-13 (semantic-web@w3.org from June 2023)

From: Jürgen Jakobitsch <juergen.jakobitsch@semantic-web.com>
Date: Tue, 13 Jun 2023 19:07:40 +0200
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: "Hubauer, Thomas" <thomas.hubauer@siemens.com>, "semantic-web@w3.org" <semantic-web@w3.org>
Message-ID: <CAETaefxR6H_LTgVvi2-K0ep14s-UinX-PrVKSp9pD_nEwL=B8g@mail.gmail.com>

:-)

there is no such thing as "using a http URI for downloading" in the
semantic web .

what you can download is a document from a specific URL (mind the L) which
contains well specified serializations of RDF triples the subject of which
will be a URI.

it's a matter of linked data deployment:

curl -L -H "accept:text/turtle" http://www.turnguard.com/turnguard

can respond with HTTP 303, Location: https://www.turnguard.com/turnguard.ttl
(containing triples with http://www.turnguard.com/turnguard as the subject)

in short a URI is not a URL ;-)






*Jürgen Jakobitsch*
Director of Infrastructure & Information Security
Semantic Web Company GmbH
EU: +43-14021235 <+43%201%204021235>
US: (415) 800-3776
Mobile: +43-676-6212710 <+43%20676%206212710>
https://www.poolparty.biz
https://www.semantic-web.com

*Download E-Book*: Introducing Semantic AI
<https://www.poolparty.biz/machine-learning-meets-semantics/>


Am Di., 13. Juni 2023 um 17:49 Uhr schrieb Melvin Carvalho <
melvincarvalho@gmail.com>:

>
>
> út 13. 6. 2023 v 17:37 odesílatel Hubauer, Thomas <
> thomas.hubauer@siemens.com> napsal:
>
>> Hi SemWeb community,
>>
>>
>>
>> One of my projects is considering making some of our ontologies
>> accessible to customers. As part of these considerations, we have been
>> discussing resolving ontology references (e.g. for imports) which lead us
>> to some lengthy arguments about http:// vs. https:// as protocol part in
>> our URIs (primarily ontology URIs, potentially element URIs as well).
>>
>>
>>
>> I am aware of a 2016 post (
>> https://www.w3.org/blog/2016/05/https-and-the-semantic-weblinked-data/)
>> stating that W3C currently considers http and https to be “equivalent” for
>> w3c.org. However, the security guys I am working with are not too happy
>> with this as using a http URI for downloading imported ontologies is
>> vulnerable to a man-in-the-middle attack.
>>
>>
>>
>> I was unable to find any more recent statement by the W3C on the use of
>> http vs. https. Specifically, I’d be interested to understand if this
>> community (and the W3C) intend to stick with http for the foreseeable
>> future, of if there’s any plans to migrate some/all URIs (e.g. ontology
>> URIs but not element URIs) to https ? Would be nice for us to understand
>> what “the outer world” plans so we can maybe take this as a blueprint for
>> our own guidance on URIs.
>>
>
> I'm with TimBL on this:
>
> "HTTPS Everywhere" considered harmful
>
> https://www.w3.org/DesignIssues/Security-NotTheS.html
>
> The Semantic Web has been around for a couple of decades.  Is there any
> documented instance of an MITM attack on an ontology ever causing an issue?
>
>>
>>
>>
>> Best regards,
>>
>> Thomas
>>
>>
>>
>>
>>
>

Received on Tuesday, 13 June 2023 17:07:58 UTC