Re: W3C position on URIs http:// vs. https://

It was & is a mistake to use URLs as semantic identities beyond 'this is 
the HTTPS endpoint for X'.

It is fine to use HTTPS-like URLs as the basis for URIs, and in fact 
secure proof of authority / control / security can be done relative to 
those URIs and HTTPS a la Let's Encrypt.  But the protocol used should 
be flexible, potentially dynamic & diverse, and something that could be 
mapped.

As a simple proposal:

Add date (some resolution of ISO date format), at least year, to a 
URL-like URI references.  Then support a URI mapping mechanism, with 
some degree of authority, that can map a reference to a current URL or 
URLs and potentially updated URI.

I have long thought about this for phone numbers and other things: Your 
phone number + year likely uniquely identifies you, regardless of how 
many others have your phone number before and after you.

This provides a way to have a stable proliferation of identifiers / 
identities, while not requiring that the current state of the web be 
stable forever.  Companies close, researchers & projects change 
universities, people die, etc.  We need a clean, efficient resilient 
system for at least the most important things.  The Internet Archive, 
Wikipedia, Library of Congress, and others are likely repositories.

This would have solved the HTTP->HTTPS transition.  And it could be used 
for WSS, Webtransport, messaging systems in general (kafka et al), etc.  
While HTTPS is a great baseline, it is not appropriate or competitive 
for everything.  Distributed web systems, for instance, will operate 
much differently, but could easily handle URI resolving.

We can use browser plugins, reverse proxies for application servers, and 
other methods to adapt existing software.  But we should start building 
software that is a lot more resilient.

Stephen

On 6/13/23 8:47 AM, Melvin Carvalho wrote:
>
>
> út 13. 6. 2023 v 17:37 odesílatel Hubauer, Thomas 
> <thomas.hubauer@siemens.com> napsal:
>
>     Hi SemWeb community,
>
>     One of my projects is considering making some of our ontologies
>     accessible to customers. As part of these considerations, we have
>     been discussing resolving ontology references (e.g. for imports)
>     which lead us to some lengthy arguments about http:// vs. https://
>     as protocol part in our URIs (primarily ontology URIs, potentially
>     element URIs as well).
>
>     I am aware of a 2016 post
>     (https://www.w3.org/blog/2016/05/https-and-the-semantic-weblinked-data/)
>     stating that W3C currently considers http and https to be
>     “equivalent” for w3c.org <http://w3c.org>. However, the security
>     guys I am working with are not too happy with this as using a http
>     URI for downloading imported ontologies is vulnerable to a
>     man-in-the-middle attack.
>
>     I was unable to find any more recent statement by the W3C on the
>     use of http vs. https. Specifically, I’d be interested to
>     understand if this community (and the W3C) intend to stick with
>     http for the foreseeable future, of if there’s any plans to
>     migrate some/all URIs (e.g. ontology URIs but not element URIs) to
>     https ? Would be nice for us to understand what “the outer world”
>     plans so we can maybe take this as a blueprint for our own
>     guidance on URIs.
>
>
> I'm with TimBL on this:
>
> "HTTPS Everywhere" considered harmful
>
> https://www.w3.org/DesignIssues/Security-NotTheS.html
>
> The Semantic Web has been around for a couple of decades.  Is there 
> any documented instance of an MITM attack on an ontology ever causing 
> an issue?
>
>     Best regards,
>
>     Thomas
>
-- 
 
 
*Stephen D. Williams*
Founder: VolksDroid, Blue Scholar Foundation
650-450-8649 <tel:650-450-8649> | fax:703-995-0407 <fax:> | sdw@lg.net 
<mailto:sdw@lig.net> | https://VolksDroid.org <https://VolksDroid.org> | 
https://BlueScholar.org <https://BlueScholar.org> | https://sdw.st/in