Re: secure URIs from Simon Josefsson on 2003-04-30 (uri@w3.org from April 2003)

From: Simon Josefsson <jas@extundo.com>
Date: Wed, 30 Apr 2003 03:25:39 +0200
To: Trevor Perrin <trevp@trevp.net>
Cc: "Roy T. Fielding" <fielding@apache.org>, uri@w3.org
Message-ID: <ilu65owvkrw.fsf@latte.josefsson.org>
Trevor Perrin <trevp@trevp.net> writes:

> At 01:52 AM 4/30/2003 +0200, Simon Josefsson wrote:
>
>>Trevor Perrin <trevp@trevp.net> writes:
>>
>> > At 12:59 AM 4/30/2003 +0200, Simon Josefsson wrote:
>> >
>> >>There are merits to the idea that security metadata should not be part
>> >>of URIs.  Here is one idea that implement the fundamental idea (which
>> >>I still believe is useful) without modifying URIs, like the above
>> >>approach does.
>> >>
>> >>The syntax would be:
>> >>
>> >>meta:<METADATA>:<URI>
>> >>
>> >>So to embed that a HTTP resource should have a certain SHA-1 hash (for
>> >>integrity, or even authentication, purposes) would be (this happens to
>> >>be a working example):
>> >>
>> >>meta:sha1=oHn3H7i+rYwEnZulnHb09KO/6Ro=:http://josefsson.org/key.txt
>> >>
>> >>Thoughts?
>> >
>> > I like that too.  I'd put the <URI> first, for readability.  Then it
>> > doesn't look too different from my suggestion.
>>
>>The characteristic I liked about my idea was that the original URL was
>>not modified, only embedded.  This simplifies implementation slightly.
>
> true.  Would you want to rename "meta" to "secure" or "crypto"?  Then
> it becomes a little more readable..
>
> secure:http://www.blabla...
> secure:mailto:alice@acme.com...

I agree meta: isn't very informative, so a better name would be good.
On the other hand, secure/crypto might be too narrow.  I'm thinking
about other possible "metadata" you might want to attach to an URL.
E.g.:

meta:preferred_language=fr:http://www.debian.org/

Although this example is probably not a good one, as it is http
specific.

>> > I'm denoting a secure scheme by appending "-" to the base scheme,
>> > you're denoting a secure scheme (or metadata-enhanced scheme) by
>> > "meta", with the base scheme in the scheme-specific part.  I'm not
>> > sure which way is better.
>>
>>According to RFC 2396, the '-' character is a valid trailing scheme
>>character.  Since I assume you are not proposing to register 'http-',
>>'ftp-', etc individually, but rather extend the base specification so
>>this idea automatically applies to all URI schemes, using a currently
>>invalid scheme character might be better.  Then old software will not
>>be confused if someone is currently using a private scheme named
>>'myownhack-://...'.  So instead it could be 'http*://...'.  Although I
>>still prefer my idea.  It doesn't require any modification to the base
>>specification, just a new meta: URL registration.
>
> Interesting..  I wanted to use asterisks, but I thought software
> unfamiliar with secure URIs might puke on seeing a document with an
> invalid scheme character.  So I chose "-" as a trailer since there's
> currently no schemes using it, and I figured we could just cross our
> fingers about private schemes.

It may be safer if old software puked on it, rather than possibly
parse it as an existing private-use URI.  But this is really mostly a
theoretical problem.

I do prefer registering one new URL scheme, instead of either
modifying the base specification or register many URL scheme, though.
Received on Tuesday, 29 April 2003 21:25:51 UTC