- From: Trevor Perrin <trevp@trevp.net>
- Date: Wed, 30 Apr 2003 13:46:05 -0700
- To: "Clive D.W. Feather" <clive@demon.net>
- Cc: uri@w3.org
At 08:34 AM 4/30/2003 +0100, you wrote: >Trevor Perrin said: > >> I agree meta: isn't very informative, so a better name would be good. > >> On the other hand, secure/crypto might be too narrow. I'm thinking > >> about other possible "metadata" you might want to attach to an URL. > > > I can't think of great uses for metadata like this beside crypto data, > so I > > wouldn't mind having a "secure" scheme just targeted to document hashes, > > key/cert fingerprints, and key/cert-retrieval URLs, unless there's a > > compelling reason to broaden it. > >Bitter experience says that it's always better to make the scheme as wide >and extensible as possible. In particular, "why would you want that?" is >almost a guaranteed recipe for later regrets. If "secure" is restricted to crypto metadata, you could always define other schemes for different metadata types: language:http://whatever.com:french But I can't think of a type of metadata (besides crypto) where this would be a good idea. I guess I perceive crypto data as not really "metadata" about the resource, but rather part of the resource's identity. If you want to reliably retrieve a document, than knowing how to cryptographically authenticate the document (or document owner) is just as important as knowing its URL (at least in a sufficiently paranoid threat model). In other words, this isn't just metadata to be used after resolving the URL, but is integral to the process of resolving it, and I can't think of other data that's similarly deserving of being bound to the URL. >I also don't like "secure" because it isn't a secure link, it's a way of >(in this case) checking that the target of the link hasn't changed. To most >people, "secure" means untappable, as in the "s" of "https". I think that every secure URL would provide authentication of some sort (of the document itself, in the form of a hash value, or of the party serving the document, in the form of a key fingerprint). Some secure URLs would also provide confidentiality. So "secure" here would mean "authenticated and possibly confidential". I agree that some people might assume confidentiality, but that's a minor problem, and it's not uncommon to talk about, for example, XML-Security, and mean both XML-DSIG and XML-Encryption, so I think lots of people understand security has both authentication and confidentiality aspects to it. Trevor
Received on Wednesday, 30 April 2003 16:46:20 UTC