Use https or http URIs for new identifiers?

[azaroth42]

Assuming that #417 is addressed, should we create URIs that use the HTTPS or HTTP scheme/protocol for identifiers? For example, should the context for auth 1.0 be:

• http://iiif.io/api/auth/1/context.json
• https://iiif.io/api/auth/1/context.json

If HTTP is the decision, this would invalidate #601. If HTTPS is the decision, the current changes are for Auth 1.0 and Search 1.0. It would affect any future specifications as well, of course.

[azaroth42]

My intuition is for currently keeping http for the following reasons:

• Having some contexts (or other identifiers) be https and some http would make for difficult to detect and debug issues. Most clients would end up having to check for http://* and https://* which defeats the point of a unique identifier.
• We don't know about http2 yet, which has the potential of requiring TLS and thus http2 would be only https. Some clients and servers have already implemented it, so this may not be too far down the line. One would expect that http2's scheme would be http, not https.
• We have already declared that http://iiif.io/api/image/ is the unchanging protocol URI which we can't undo. Or we could but it would be definitely 😊, and doubly so if http2 drops the s and we have to change it back.
• We haven't actually addressed Visiting the iiif.io site over https causes the site not to work #417 yet.
• I don't believe there's a mixed [passive or active] content issue here?

So my proposal is to at least defer this along with #601, and prefer to close both wontfix.

[zimeon]

Perhaps on the call you can say more about http2. I certainly agree that we should do #417 with highest priority, both this and #601 are less urgent.

[azaroth42]

Strike the http2 issue. An update since I last checked adds back http over clear text, whereas previously it was all TLS: https://tools.ietf.org/html/rfc7540#section-3.1

[azaroth42]

Propose close wontfix, continue to use http.

[jpstroop]

👍 to wontfix; we certainly can't require HTTPS

[zimeon]

How about defer to 3.0 instead of wondtfix? We should perhaps consider again in a bit

[jpstroop]

+1 to defer

[tomcrane]

👍 to defer

[azaroth42]

👍 to defer

On Fri, Dec 11, 2015 at 8:12 AM, Tom Crane notifications@github.com wrote:

[image: 👍] to defer

—
Reply to this email directly or view it on GitHub
#604 (comment).

Rob Sanderson
Information Standards Advocate
Digital Library Systems and Services
Stanford, CA 94305

[sdellis]

Does deferring this prevent the Auth spec from coming out of draft?

[jpstroop]

I think we can keep HTTPS in examples in the auth spec where it wouldn't make sense to do anything else, but stay silent otherwise.

[azaroth42]

This issue is only about iiif minted uris, not implementations. Auth implementations not using https should reconsider their understanding of security ;)

[azaroth42]

W3C has recently discussed this and the decision was:

• All documents MUST be https
• All namespaces and other identifiers remain as http

The rationale is that the identifiers often already exist, and don't need to be dereferenced in real time. Best practice is to ALSO provide whatever representations of the resources using https, but it's on the client to try https first.

For example: w3c/web-annotation#347

Eds on 2016-09-21 call propose that this be closed with the decision of stick with HTTP

[azaroth42]

And thus propose close wontfix, we'll keep using HTTP URIs.

[jpstroop]

👍

[zimeon]

👍 to close wontfix -- looks like we agreed a while ago and should just do it?

[azaroth42]

Yep. Re-open if anyone disagrees.