- From: <noah_mendelsohn@us.ibm.com>
- Date: Mon, 15 May 2006 10:58:59 -0400
- To: Dan Connolly <connolly@w3.org>
- Cc: Robin Berjon <robin.berjon@expway.fr>, www-tag@w3.org
Dan Connolly wrote: > On Fri, 2006-05-12 at 13:30 +0200, Robin Berjon wrote: > [...] > > I find this foray into "URIs are cooler when humans can actually > > fiddle with them (at their own risk)" to be highly encouraging. I > > think however that it is incomplete without an adjacent discussion of > > when and why it may (or may not) be appropriate to take active steps > > in preventing users from being able to "explore and experiment" with > > URIs, notably through such devices as including the creation year in > > the URI (aka datedspace). > > Could you elaborate a bit? I'm not sure I see where you're headed. > > It seems to me that the argument against the year-of-creation idiom > is mostly covered by the example with > http://example.org/123Hx67v4gZ5234Bq5rZ I agree with Dan, but would also point to the section on security [1], where it says of our nefarious ISP employee: "A malicious worker at an Internet Service Provider notices these URIs in his traffic logs, and determines the bank account numbers for his Internet customers. Furthermore, if access controls are not properly in place, he might be able to guess the URIs for other accounts, and to attempt to access them." Seems to me that 2nd sentence covers exactly what Robin is asking me to explain. Am I right? I agree it's not the longest possible explanation, but I thought the finding as a whole was at risk of getting to long. Dan elsewhere suggested that the security section might benefit from a bit more detail or a more compelling example [2]. Let's see where that discussion goes. I'm sort of comfortable with the short version for the moment, but may well be convinced to add a bit. I'll keep both sets of comments in mind. In any case, I don't think we can ever prevent users from trying to experiment with URIs, though we can put in place access controls to keep them from succeeding and/or pass laws that impose penalties for experimenting maliciously. What I think you're after is structuring URIs to make such exploration much more difficult, and as I say I think that's covered albeit briefly in the security section. Thanks! Noah [1] http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity -------------------------------------- Noah Mendelsohn IBM Corporation One Rogers Street Cambridge, MA 02142 1-617-693-4036 --------------------------------------
Received on Monday, 15 May 2006 14:59:07 UTC