- From: Schleiff, Marty <marty.schleiff@boeing.com>
- Date: Tue, 15 Jul 2008 15:25:50 -0700
- To: "Mark Baker" <distobj@acm.org>, "David Orchard" <orchard@pacificspirit.com>
- Cc: "Booth, David (HP Software - Boston)" <dbooth@hp.com>, <www-tag@w3.org>
Hi All, I'm enjoying the discussion, and even learning a few things along the way. I'm still not sure if remarks like "harmful to the web" or "web friendly" or "fragmentation of the web" or "Architecture of the World Wide Web" refer to the Internet at large, or just portions of it that are accessible from browsers and other software that attempts to highlight URIs as links with certain click behavior. I look at it from a different perspective; my job entails security and identity management. I recognize the web-centric perspective many of you share as important, even though I claim no expertise in that area. I hope you can likewise recognize an identity management perspective (where I do claim some expertise) as important. URIs are identifiers, and therefore have place in identity management, whether or not they represent identity on the web, whether or not they represent links, whether or not they have defined click behavior, whether or not they are recognized by browsers. In security identity management the primary requirement for identifiers is arguably the ability to be looked up and matched in an identity repository (like a directory, or NIS, or /etc/passwd file) to be authenticated and/or to find associated attributes. Identifiers conveyed in X.509 certificates, SAML assertions, or by other means, need to be looked up in identity stores, access/error/audit/transaction logs, and other systems for various reasons. Identifiers like email addresses need to be looked up to find encryption certificates, which is not the same as click behavior for mailto:. Relying on hypermedia to discover a URI's structure, matching rules, sort order, persistence, or other characteristics is probably impractical for many identity management use cases. I think it's more practical to rely on inspection of the identifier to determine an identifier's structure/characteristics. This view does not counter the AWWW good practice for URI Opacity (http://www.w3.org/TR/webarch/#pr-uri-opacity), because this view concerns properties of the identifier, NOT properties of the referenced resource. I'm watching with interest the ongoing discussion about whether XRI should become a new URI scheme, or if XRIs should be recognized based on a particular http: authority, or both, or whatever. I still prefer a new sceme for XRI, but I agree with John Bradley that the http: approach may be acceptable. Marty.Schleiff@boeing.com; CISSP Associate Technical Fellow - Cyber Identity Specialist Information Security - Technical Controls (206) 679-5933 -----Original Message----- From: Mark Baker [mailto:distobj@acm.org] Sent: Monday, July 14, 2008 10:37 PM To: David Orchard Cc: Booth, David (HP Software - Boston); www-tag@w3.org Subject: Re: Boeing XRI Use Cases On 7/15/08, David Orchard <orchard@pacificspirit.com> wrote: > Mark, > > I believe that you do not need a new URI scheme to extract information > from URIs. HTML would have needed to create HTMLFORMSURI: or somesuch > to do forms in URIs using your example. I will again bring up URI > templates and the metadata in URI TAG finding. I believe that a > scheme whereby xris are denoted by http:// + some authority that can > do XRI resolution (such as David Booth's purl.org suggestion) + a > specific format for such URIs is completely within Web arch. There's > no division of the information space and web browsers can do GETs on > the URIs without special software. I'm certainly not prepared to > lobby the XRI folks any further than this. If they do provide URIs using http:// schemes, I cannae ask them more laddie. Using hypermedia to enable a publisher to expose a URI's structure is perfectly Web friendly of course. And I admit to not reading the entire resolution spec, but it was this paragraph of 11.2 that set off alarm bells for me because it doesn't prescribe using any authoritative information in determining whether an http URI is an HXRI or not. "URI processors that recognize XRIs SHOULD interpret the local part of an HTTP or HTTPS URI (the path segment(s) and optional query segment) as an XRI provided that: a) it conforms to this ABNF, and b) the first segment of the path conforms to the xri-authority or iauthority productions in [XRISyntax]." If that paragraph is incorrect/incomplete, then I stand corrected. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
Received on Tuesday, 15 July 2008 22:26:58 UTC