Re: XML Schema validation and https redirects from Gerald Oskoboiny on 2022-08-19 (xmlschema-dev@w3.org from August 2022)

From: Gerald Oskoboiny <gerald@w3.org>
Date: Fri, 19 Aug 2022 13:50:35 -0700
To: Norm Tovey-Walsh <ndw@nwalsh.com>
Cc: xmlschema-dev@w3.org
Message-ID: <Yv/3m9NGnwltgGDs@w3.org>

* Norm Tovey-Walsh <ndw@nwalsh.com> [2022-08-19 09:39+0100]
>Greg Hunt <greg@firmansyah.com> writes:

>> Break the validation, even momentarily, and all you have is a legacy
>> technology that is harder to argue for.
>>
>> I am with Michael on this, publishing stable URIs, (and I am inclined
>> to factor in the frankly rather vague statements about dereferencing
>> URLs), constituted a promise to not change things, a promise that you
>> cannot evade by saying people ought to be reading the W3C blog and
>> updating their software.

I agree stable URIs are important, and I think W3C has done a 
better job of preserving the stability of its URIs than almost 
any other organization, including orgs with several orders of 
magnitude more resources at their disposal.

>I think those are very reasonable and valid points. On the other hand,
>configuring software so that it dereferences www.w3.org to do validation
>of some local resource was probably not an explicit decision, it’s
>probably an accident. The application is going to fail when www.w3.org
>falls off the internet, which I’m sure it does periodically when
>maintenance is performed, or when someone borks DNS on purpose or by
>mistake.
>
>We know that http: URIs are insecure and subject to various kinds of
>attacks. If someone constructs an attack vector that uses a hacked
>schema injected into an insecure HTTP stream to get software to accept
>an otherwise invalid document with some downstream consequence that the
>black hats can exploit, that’s bad too. If a bit…unlikely.

+1

During this round of testing we heard from (among others) a 
casino and an insurance company saying their production services 
were impacted by this change. Why would these companies *want* 
their production services to be dependent on the availability of 
a web site run by a small nonprofit they likely never even heard 
of?

These experiments with redirecting the whole site to https are 
really just an exploration into whether this is feasible at all, 
and if not, which resource(s) we need to continue to serve via 
HTTP. But making exceptions would just add to the already huge 
pile of technical debt that has accumulated after decades of not 
throwing things away.

-- 
Gerald Oskoboiny <gerald@w3.org>
http://www.w3.org/People/Gerald/
tel:+1-604-906-1232 (mobile)

Received on Friday, 19 August 2022 20:50:40 UTC