Re: URN Resolution Security and Privacy Issues (fwd)

Larry Masinter (masinter@parc.xerox.com)
Mon, 10 Jul 1995 13:47:42 PDT


To: pierre@indirect.com
Cc: uri@bunyip.com
In-Reply-To: pierre@indirect.com's message of Mon, 10 Jul 1995 13:41:39 -0700 <95Jul10.134149pdt.2767@golden.parc.xerox.com>
Subject: Re: URN Resolution Security and Privacy Issues (fwd)
From: Larry Masinter <masinter@parc.xerox.com>
Message-Id: <95Jul10.134746pdt.2762@golden.parc.xerox.com>
Date: Mon, 10 Jul 1995 13:47:42 PDT

> Any URN registry service must be able to answer the question of whether a 
> URN exists in order to decide whether it can be assigned to a new object.

It's clear that a URN registry service can be asked 'give me a new
URN' without revealing answers to the question of 'is X a valid URN'.

On the other hand, merely being able to ask 'is X a valid URN' might
not reveal information if URNs contain sufficient random information
to make guessing one difficult, or if URNs contain no external
information like titles or dates, other than a sequence number.

> If you're playing with confidential information, what is it doing on an 
> essentially public network, where security is basically nonexistent?

This is not an assumption that any internet working group should make.