- From: Trevor Perrin <trevp@trevp.net>
- Date: Tue, 29 Apr 2003 17:18:32 -0700
- To: Simon Josefsson <jas@extundo.com>
- Cc: "Roy T. Fielding" <fielding@apache.org>, uri@w3.org
At 01:52 AM 4/30/2003 +0200, Simon Josefsson wrote: >Trevor Perrin <trevp@trevp.net> writes: > > > At 12:59 AM 4/30/2003 +0200, Simon Josefsson wrote: > > > >>There are merits to the idea that security metadata should not be part > >>of URIs. Here is one idea that implement the fundamental idea (which > >>I still believe is useful) without modifying URIs, like the above > >>approach does. > >> > >>The syntax would be: > >> > >>meta:<METADATA>:<URI> > >> > >>So to embed that a HTTP resource should have a certain SHA-1 hash (for > >>integrity, or even authentication, purposes) would be (this happens to > >>be a working example): > >> > >>meta:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=:http://josefsson.org/key.txt > >> > >>Thoughts? > > > > I like that too. I'd put the <URI> first, for readability. Then it > > doesn't look too different from my suggestion. > >The characteristic I liked about my idea was that the original URL was >not modified, only embedded. This simplifies implementation slightly. true. Would you want to rename "meta" to "secure" or "crypto"? Then it becomes a little more readable.. secure:http://www.blabla... secure:mailto:alice@acme.com... > > One difference is I was using brackets to separate the URI from crypto > > data. Since brackets aren't "uric" characters, that's probably a bad > > idea. So if I change my initial approach to use a colon, like yours > > does, and change yours to put the URI first, we can see the remaining > > difference: > > > > http-://josefsson.org/key.txt:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro= > > meta:http://josefsson.org/key.txt:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro= > > > > I'm denoting a secure scheme by appending "-" to the base scheme, > > you're denoting a secure scheme (or metadata-enhanced scheme) by > > "meta", with the base scheme in the scheme-specific part. I'm not > > sure which way is better. > >According to RFC 2396, the '-' character is a valid trailing scheme >character. Since I assume you are not proposing to register 'http-', >'ftp-', etc individually, but rather extend the base specification so >this idea automatically applies to all URI schemes, using a currently >invalid scheme character might be better. Then old software will not >be confused if someone is currently using a private scheme named >'myownhack-://...'. So instead it could be 'http*://...'. Although I >still prefer my idea. It doesn't require any modification to the base >specification, just a new meta: URL registration. Interesting.. I wanted to use asterisks, but I thought software unfamiliar with secure URIs might puke on seeing a document with an invalid scheme character. So I chose "-" as a trailer since there's currently no schemes using it, and I figured we could just cross our fingers about private schemes. But either way, following my suggestion we'd have to change the base specification to disallow future use of "-" as a trailer, or allow use of "*" as a trailer, whereas your proposal doesn't impact the base spec. If you changed "meta" to "secure", I'd probably prefer your approach (I'd need to think about it a bit more), since it's also more readable. Trevor
Received on Tuesday, 29 April 2003 20:19:21 UTC