Re: W3C position on URIs http:// vs. https://

Coming back to Thomas' original question:

On 13/06/2023 17:31, Hubauer, Thomas wrote:
>
> Hi SemWeb community,
>
> One of my projects is considering making some of our ontologies 
> accessible to customers.
>
My response would be: publish your ontology on HTTPS only, and use only 
https:// IRIs to identify every part of the ontology.

IMO, this does /not /contradict the spirit of Tim's post, cited by 
Melvin [1], in which the main issue raised is about breaking /existing/ 
links (by deprecating existing http:// links in favour of new https:// 
ones).

If your ontology has not been published before, there is no existing 
links to break, so you are better off with HTTPS (and HTTPS only, to 
avoid creating more confusion with pseudo-synonymic IRIs).

   pa

[1] https://www.w3.org/DesignIssues/Security-NotTheS.html


> As part of these considerations, we have been discussing resolving 
> ontology references (e.g. for imports) which lead us to some lengthy 
> arguments about http:// vs. https:// as protocol part in our URIs 
> (primarily ontology URIs, potentially element URIs as well).
>
> I am aware of a 2016 post 
> (https://www.w3.org/blog/2016/05/https-and-the-semantic-weblinked-data/) 
> stating that W3C currently considers http and https to be “equivalent” 
> for w3c.org. However, the security guys I am working with are not too 
> happy with this as using a http URI for downloading imported 
> ontologies is vulnerable to a man-in-the-middle attack.
>
> I was unable to find any more recent statement by the W3C on the use 
> of http vs. https. Specifically, I’d be interested to understand if 
> this community (and the W3C) intend to stick with http for the 
> foreseeable future, of if there’s any plans to migrate some/all URIs 
> (e.g. ontology URIs but not element URIs) to https ? Would be nice for 
> us to understand what “the outer world” plans so we can maybe take 
> this as a blueprint for our own guidance on URIs.
>
> Best regards,
>
> Thomas
>