- From: <noah_mendelsohn@us.ibm.com>
- Date: Tue, 16 May 2006 21:33:53 -0400
- To: "Bullard, Claude L \(Len\)" <len.bullard@intergraph.com>
- Cc: "Frank Manola" <fmanola@acm.org>, www-tag@w3.org
Claude Bullard writes:
> That's a caveat emptor argument. Trust the provider. On the other
> hand, the smart move is trust but verify and that means the buyer always
> assumes the risk.
Indeed, but the finding is trying to make the point that the nature of the
risk is qualitatively different when you are inferring information based
on normative recommendations, vs. based on assumptions you just consider
plausible. Let's say someone sends you a link:
http://example.org/weatherReports/Chicago
You as a consumer convince yourself of two things: 1) the authority for
this resource is example.org and 2) it's for a weather report in Chicago.
You're right that in both cases there's an element of buyer beware. Either
of those inferrences could be wrong. The provider could have maliciously
sent you a URI that he or she knew was not in fact assigned by
example.org. You also could have guessed wrong that the word
"weatherReports" meant you were getting weather reports. In both cases,
you as a consumer of the URI are taking a risk, but the two assumptions
feel very different to me. In particular, an omniscient observer could
show that the malicious user has indeed done something wrong, I.e. has
violated a Recommendation by appearing to assign a URI outside of its
authority. If someone publishes a work of art named
"weatherReports/Chicago" under the URI above, then they have at worst
violated good practice. I still believe that the two cases are
qualitatively very different.
Noah
--------------------------------------
Noah Mendelsohn
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------
Received on Wednesday, 17 May 2006 01:34:13 UTC