New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use https or http URIs for new identifiers? #604
Comments
My intuition is for currently keeping http for the following reasons:
So my proposal is to at least defer this along with #601, and prefer to close both wontfix. |
Strike the http2 issue. An update since I last checked adds back http over clear text, whereas previously it was all TLS: https://tools.ietf.org/html/rfc7540#section-3.1 |
Propose close wontfix, continue to use http. |
👍 to wontfix; we certainly can't require HTTPS |
How about defer to 3.0 instead of wondtfix? We should perhaps consider again in a bit |
+1 to defer |
👍 to defer |
👍 to defer On Fri, Dec 11, 2015 at 8:12 AM, Tom Crane notifications@github.com wrote:
Rob Sanderson |
Does deferring this prevent the Auth spec from coming out of draft? |
I think we can keep HTTPS in examples in the auth spec where it wouldn't make sense to do anything else, but stay silent otherwise. |
This issue is only about iiif minted uris, not implementations. Auth implementations not using https should reconsider their understanding of security ;) |
W3C has recently discussed this and the decision was:
The rationale is that the identifiers often already exist, and don't need to be dereferenced in real time. Best practice is to ALSO provide whatever representations of the resources using https, but it's on the client to try https first. For example: w3c/web-annotation#347 Eds on 2016-09-21 call propose that this be closed with the decision of stick with HTTP |
And thus propose close wontfix, we'll keep using HTTP URIs. |
👍 |
👍 to close wontfix -- looks like we agreed a while ago and should just do it? |
Yep. Re-open if anyone disagrees. |
Assuming that #417 is addressed, should we create URIs that use the HTTPS or HTTP scheme/protocol for identifiers? For example, should the context for auth 1.0 be:
If HTTP is the decision, this would invalidate #601. If HTTPS is the decision, the current changes are for Auth 1.0 and Search 1.0. It would affect any future specifications as well, of course.
The text was updated successfully, but these errors were encountered: