Re: [metadataInURI-31] New editors draft for Metadata In URIs Finding from noah_mendelsohn@us.ibm.com on 2006-05-15 (www-tag@w3.org from May 2006)

From: <noah_mendelsohn@us.ibm.com>
Date: Mon, 15 May 2006 10:58:59 -0400
To: Dan Connolly <connolly@w3.org>
Cc: Robin Berjon <robin.berjon@expway.fr>, www-tag@w3.org
Message-ID: <OF330D99E0.5E81B9DF-ON8525716F.0051722B-8525716F.0052637F@lotus.com>

Dan Connolly wrote:

> On Fri, 2006-05-12 at 13:30 +0200, Robin Berjon wrote:
> [...]
> > I find this foray into "URIs are cooler when humans can actually 
> > fiddle with them (at their own risk)" to be highly encouraging. I 
> > think however that it is incomplete without an adjacent discussion of 
> > when and why it may (or may not) be appropriate to take active steps 
> > in preventing users from being able to "explore and experiment" with 
> > URIs, notably through such devices as including the creation year in 
> > the URI (aka datedspace).
> 
> Could you elaborate a bit? I'm not sure I see where you're headed.
> 
> It seems to me that the argument against the year-of-creation idiom
> is mostly covered by the example with
> http://example.org/123Hx67v4gZ5234Bq5rZ

I agree with Dan, but would also point to the section on security [1], 
where it says of our nefarious ISP employee:

"A malicious worker at an Internet Service Provider notices these URIs in 
his traffic logs, and determines the bank account numbers for his Internet 
customers. Furthermore, if access controls are not properly in place, he 
might be able to guess the URIs for other accounts, and to attempt to 
access them."

Seems to me that 2nd sentence covers exactly what Robin is asking me to 
explain.  Am I right?  I agree it's not the longest possible explanation, 
but I thought the finding as a whole was at risk of getting to long.  Dan 
elsewhere suggested that the security section might benefit from a bit 
more detail or a more compelling example [2].  Let's see where that 
discussion goes.   I'm sort of comfortable with the short version for the 
moment, but may well be convinced to add a bit.  I'll keep both sets of 
comments in mind. 

In any case, I don't think we can ever prevent users from trying to 
experiment with URIs, though we can put in place access controls to keep 
them from succeeding and/or pass laws that impose penalties for 
experimenting maliciously.  What I think you're after is structuring URIs 
to make such exploration much more difficult, and as I say I think that's 
covered albeit briefly in the security section.  Thanks!

Noah

[1] http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------

Received on Monday, 15 May 2006 14:59:07 UTC