- From: Ed Davies <edavies@nildram.co.uk>
- Date: Fri, 10 Nov 2006 17:05:46 +0000
- To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
- CC: www-tag@w3.org
Henry Story wrote: > To me, unauthorised resources should be protected by Access control > mechanism, not by the shape of the url. To me too, but apparently not to the lawyers in this case. The key question is, in my view, what the meaning of a GET request is. Is it "give me a representation of this resource which I assert I am authorized to access" or is it "please give me a representation of this resource if you think that the user name, password, referer, or whatever, of this request entitles me to it"? I think most people who have much understanding of the web would choose the second interpretation. Unfortunately, RFC 2616 section 9.3, GET, does not make this explicit and actually seems to indicate that the request is only conditional on other aspects. > I suppose case law can be shown to be wrong too. I hope so. Henry S. Thompson wrote: > This is misleading. It seems likely Cuthbert was the victim of a > miscarriage of justice [I at least am still waiting to see the > transcript of the actual judgement, rather than 3rd-hand summaries by > journalists], as a result of bad law, but his actions appear to have > gone somewhat beyond anything suggested or encouraged by the draft > finding, in that it's alleged that he constructed a URI with more '..' > stages than there were steps in the published URI he started from. Indeed, the two examples are not quite the same but I think the idea is that any use of a computer which has not been authorized is illegal (I'm talking about in the UK, of course), which presumably would include accessing Boston's weather when the advert only described how to get to Chicago's. I wrote: >> 1. Should this TAG finding note this point? Henry S. Thompson replied: > Perhaps, but only if we have hard facts beyond press reports about the > actual judgement. This particular case is only an illustration so we need not get too involved in the details. As an aside, however, what's not clear to me is whether or not Cuthbert actually accessed a directory three levels up from the given URI, or whether it was the server logs of his failed attempt which which caused the visit from the plod. I.e., is accessing an unauthorized resource required or just the attempt to do so. These sort of details of British law are somewhat beside the point, though. I asked: >> 2. Can a TAG finding define or change the meaning of a URL, >> an HTTP access or other protocol element in such a way >> as to change the interpretation of the law in a country? Henry S. Thompson replied: > Certainly not (but IANAL). I'm not so sure. After all, the GET request only has any meaning beyond being a sequence of voltage levels traveling down the wire because of various standards published by the IETF, W3C, ITU, etc. It's only in the light of that meaning that there's any case at all. I asked: >>> 1. Should this TAG finding note this point? Dan Connolly replied: > I think we already have... > > "Deep Linking" in the World Wide Web > TAG Finding 11 Sep 2003 > http://www.w3.org/2001/tag/doc/deeplinking-20030911 Good reference. Thanks. However, while that finding says that attempts to circumvent access control policies pass from the domain of technology to that of public policy, it does not say anything about manipulation of URIs in ways which are not meant to circumvent access control policies. This is what I am suggesting could be usefully included in the Metadata finding. Of course, there's the not too simple question as to what URI manipulations would fall into which class. Ed Davies.
Received on Friday, 10 November 2006 19:39:02 UTC