RE: Can "http://danbri.org" and "http://danbri.org/" URIs represent different things? from john.1.kemp@nokia.com on 2009-07-02 (www-tag@w3.org from July 2009)

From: <john.1.kemp@nokia.com>
Date: Thu, 2 Jul 2009 17:48:19 +0200
To: <danbri@danbri.org>, <skw@hp.com>
CC: <www-tag@w3.org>
Message-ID: <888B565E30724C45BABA6E337DEE6B4D3A71685415@NOK-EUMSG-01.mgdnok.nokia.com>
> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
> Of ext Dan Brickley
> 
> Thanks for investigating, and to John for digging out the spec
> citation,
> http://tools.ietf.org/html/rfc2616#page-18
> 
> I don't see anything in RFC2616 that stops me from claiming the URI to
> directly denote me, the person.

Not in RFC 2616, no. 

> Common sense makes me wary; it might
> quite reasonably be taken to denote a Web site in it's entirety. But
> that interpretation isn't widely established either in Web standards.

Well, in common practice (as Stuart's results indicated), using an HTTP URI without a path component typically results either in an HTTP (301/302) redirect, or an HTTP 200 with an actual representation returned. Neither of these seems particularly suited to seeing such a URI as a URI for "me, the person" unless that URI is used only as an identifier in other cases (ie. your RDF example). 

> 
> Let's leave the OpenID aspect aside for now, for clarity. Except:
> 
> One thing I learned recently when the danbri.org site was hacked, was
> that it is a really horrible experience. In future I want my openid to
> be kept WELL AWAY from my blog, my PHP scripts, and other possible
> entry
> points for vandals, spammers, identity thieves etc. Because danbri.org
> was compromised (for a while), my OpenID delegation could have been
> mis-used, etc etc.
> 
> My lesson here is that I want to use a new and separate sub-domain for
> OpenID purposes, FOAF files etc. And my main website can be a more
> chaotic, risky, lower security affair. So I expect to start using
> something like http://id.danbri.org/ as an OpenID. Or perhaps even
> http://id.danbri.org/
> 
> Can anyone find good reason (from deployment pragmatics, or specs) why
> 
> I can't write
> 
>   me-the-person: http://id.danbri.org

I think this depends on what you want to do with that URI. In OpenID, the above would become http://id.danbri.org/ anyway under the OpenID normalization rules. 

>   my homepage, delegating openid page, etc. ... http://id.danbri.org/
> 
> This would be really nice, since at the moment SemWeb people are
> running
> around using either very different URIs for themselves and their
> homepages, or putting #me into them. With the above model, they could
> essentially put *almost* the same URL on their sig files, biz cards
> etc., and let the browser correct the difference transparently.
> 
> No browser knows to add or remove "#me" yet, by contrast.
> 
> > Note wget and firefox both appear to make request for
> http://danbri.org/ - which is what gets rewritten into the browser
> address bar - no redirections, no content-location... all before fact
> of making the request.
> 
> So they're different URIs, and the shorter one does NOT return a 200.

Having just gone there and looked in Firebug, http://danbri.org does indeed appear to return an HTTP 200, but the browser address bar shows http://danbri.org/. No redirect operation is shown in Firebug. That usage is consistent with some other sites, but others use an HTTP 301 or 302 to redirect to another URI.

> It
> can't be de-referenced directly, only adapted by universally known
> rules
> into a different URI. The adaptation step is under-documented, and
> doesn't make explicit whether the "before" and "after" forms denote
> different things. Is that a fair reading?

My reading of the MUST in RFC 2616:

"If the abs_path is not present in the URL, it MUST be given as "/" when
   used as a Request-URI for a resource"

is that "no path" is considered to be the equivalent of a path of "/".

My reading would thus be that the URIs denote the /same/ thing.

Regards,

- johnk

> 
> > So a bit like using #'d URI, the URI that makes it to the request
> line is different from the one used in the reference.
> 
> Yup. But it would make for a much more consistent story with other
> "social Web" folk who like URIs for people too...
> 
> Domain name registrars might be happy also.
> 
> cheers,
> 
> Dan
> 
> 
> > --
> >
> > GET http://danbri.org/ HTTP/1.1
> > Host: danbri.org
> > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
> rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)
> > Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > Accept-Language: en-gb,en;q=0.5
> > Accept-Encoding: gzip,deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive: 300
> > Proxy-Connection: keep-alive
> >
> > HTTP/1.1 200 OK
> > Date: Wed, 01 Jul 2009 09:45:32 GMT
> > Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-
> Patch
> > Last-Modified: Sat, 09 May 2009 15:01:37 GMT
> > ETag: "9b4b6-412-4697c05936f66"
> > Accept-Ranges: bytes
> > Vary: Accept-Encoding
> > Content-Type: text/html
> > Content-length: 1042
> > Proxy-Connection: Keep-Alive
> > Connection: Keep-Alive
> > Age: 349
> >
> > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN"
> "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
> > <html xmlns="http://www.w3.org/1999/xhtml"
> >        xmlns:foaf="http://xmlns.com/foaf/0.1/">
> > <head>
> > <title>Dan Brickley</title>
> > <link rel="meta" type="application/rdf+xml" title="FOAF"
> href="http://danbri.org/foaf.rdf" />
> >
> > 			<link rel="openid2.provider"
> href="http://danbri.org/words/openid/server" />
> > 			<link rel="openid2.local_id"
> href="http://danbri.org/words/author/danbri/" />
> > 			<link rel="openid.server"
> href="http://danbri.org/words/openid/server" />
> > 			<link rel="openid.delegate"
> href="http://danbri.org/words/author/danbri/" />
> >
> > </head>
> > <body>
> > <h1>danbri.org</h1>
> > <p>This is the new minimalist danbri.org.</p>
> > <p>Nearby:<a href="words/">Dan's blog</a></p>
> > </body>
> > </html>
> > <!--<link rel="openid2.local_id" href="https://me.yahoo.com/danbri3"
> />
> >      <link rel="openid2.provider"
> href="https://open.login.yahooapis.com/openid/op/auth" />
> >      <meta http-equiv="X-XRDS-Location"
> content="https://me.yahoo.com/danbri3" />
> > -->
> >
> >> -----Original Message-----
> >> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org]
> >> On Behalf Of Dan Brickley
> >> Sent: 01 July 2009 01:54
> >> To: www-tag@w3.org WG
> >> Subject: Can "http://danbri.org" and "http://danbri.org/"
> >> URIs represent different things?
> >>
> >> Hello TAG,
> >>
> >> Talking with some SW folk about OpenID, and whether my
> >> "me-the-person"
> >> URI could be practically usable as my OpenID, I came up with this
> >> corner-case:
> >>
> >> Could http://danbri.org be a URI for "me the person", and
> >> http://danbri.org/ be a document about me (and also serve as
> >> my OpenID)?
> >>
> >> As I understand HTTP, any client must request something, so
> >> the former
> >> isn't directly de-referencable. The client has to decide to ask for
> /
> >> from danbri.org instead. But they're still different URIs,
> >> aren't they?
> >>
> >> Is...
> >>
> >> <Person  xmlns:foaf="http://xmlns.com/foaf/0.1"/
> >>            rdf:about="http://danbri.org">
> >>    <openid>
> >>       <Document rdf:about="http://danbri.org/"/>
> >>    </openid>
> >> </Person>
> >>
> >> ...at all feasible? I guess it depends on how exactly we
> >> think about the
> >> "add a / to the end" step...
> >>
> >> cheers,
> >>
> >> Dan
> >>
> >>
>
Received on Thursday, 2 July 2009 15:50:01 UTC