Re: secure URIs from Simon Josefsson on 2003-04-29 (uri@w3.org from April 2003)

From: Simon Josefsson <jas@extundo.com>
Date: Wed, 30 Apr 2003 01:52:39 +0200
To: Trevor Perrin <trevp@trevp.net>
Cc: "Roy T. Fielding" <fielding@apache.org>, uri@w3.org
Message-ID: <ilufzo0vp2w.fsf@latte.josefsson.org>

Trevor Perrin <trevp@trevp.net> writes:

> At 12:59 AM 4/30/2003 +0200, Simon Josefsson wrote:
>
>>There are merits to the idea that security metadata should not be part
>>of URIs.  Here is one idea that implement the fundamental idea (which
>>I still believe is useful) without modifying URIs, like the above
>>approach does.
>>
>>The syntax would be:
>>
>>meta:<METADATA>:<URI>
>>
>>So to embed that a HTTP resource should have a certain SHA-1 hash (for
>>integrity, or even authentication, purposes) would be (this happens to
>>be a working example):
>>
>>meta:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=:http://josefsson.org/key.txt
>>
>>Thoughts?
>
> I like that too.  I'd put the <URI> first, for readability.  Then it
> doesn't look too different from my suggestion.

The characteristic I liked about my idea was that the original URL was
not modified, only embedded.  This simplifies implementation slightly.

> One difference is I was using brackets to separate the URI from crypto
> data.  Since brackets aren't "uric" characters, that's probably a bad
> idea.  So if I change my initial approach to use a colon, like yours
> does, and change yours to put the URI first, we can see the remaining
> difference:
>
> http-://josefsson.org/key.txt:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=
> meta:http://josefsson.org/key.txt:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=
>
> I'm denoting a secure scheme by appending "-" to the base scheme,
> you're denoting a secure scheme (or metadata-enhanced scheme) by
> "meta", with the base scheme in the scheme-specific part.  I'm not
> sure which way is better.

According to RFC 2396, the '-' character is a valid trailing scheme
character.  Since I assume you are not proposing to register 'http-',
'ftp-', etc individually, but rather extend the base specification so
this idea automatically applies to all URI schemes, using a currently
invalid scheme character might be better.  Then old software will not
be confused if someone is currently using a private scheme named
'myownhack-://...'.  So instead it could be 'http*://...'.  Although I
still prefer my idea.  It doesn't require any modification to the base
specification, just a new meta: URL registration.

Received on Tuesday, 29 April 2003 19:52:47 UTC