Agents don't like protocol switchings

[maximelefrancois86]

Dear all,

My organization uses w3id.org for semantic web projects, and we have rationale to make our ontologies ultimately accessible using the HTTP protocol (and not HTTPS).

Some agents refuse to follow redirects that imply a protocol change from HTTPS to HTTP, and I guess that's a good thing in general. But it makes classical tools randomly trigger errors:

Let's use ontology https://w3id.org/seas/FeatureOfInterestOntology as an example:

• Java HttpURLConnection does not follow HTTPS-> HTTP redirections,
• the W3C RDF validator https://www.w3.org/RDF/Validator/rdfval triggers an error ;
• Protégé is capable of loading the ontology from URL https://w3id.org/seas/FeatureOfInterestOntology
• service http://mowl-power.cs.man.ac.uk:8080/validator/ triggers error: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
• service http://vowl.visualdataweb.org/webvowl/ can load:
  • OK with http://ci.emse.fr/seas/FeatureOfInterestOntology
  • OK with http://w3id.org/seas/FeatureOfInterestOntology
  • not OK with https://w3id.org/seas/FeatureOfInterestOntology

So my question is:

• could it be possible to have only HTTP redirection for some projects in w3id ?

[davidlehn]

The http to https redirect is global at the server level right now and it's not set up to allow bypassing it. Also HSTS is globally used. I'm not sure what would be involved in changing things to allow per .htaccess security opt-outs. I think the default should be secure mode but I understand why some tools might not like that when going from https back to http.

[philarcher]

One of the motivations for establishing w3id.org was to support secure URIs and generally work with Linked Data in a a secure environment. Trying to use http URIs in this space is likely to cause problems since you're asking systems designed to be secure to operate insecurely. Others may have reasons why what I'm about to say is bad - and I'll take that - but it seems to me that if you want to use http URIs, and I can see why you do, then w3id.org may not be a good choice of namespace. The ideal, IMO, is to set up your own namespace and manage it for persistence. As for whether to use http or https generally, we talked about this at W3C a lot and ended up with my blog post in May https://www.w3.org/blog/2016/05/https-and-the-semantic-weblinked-data/

[maximelefrancois86]

Well, I see your points. what we like about w3id is that it should live till the end of the web, while there are billions of reasons why a namespace I setup myself could disappear.

So if I get it right, the best choice here would be to make my institution ultimately serve the SEAS ontologies over HTTPS. I'll try to make it happen.

I hope that the discussion in this issue will be helpful to anyone wanting to use w3id namespace to expose linked data (including ontologies).

[maximelefrancois86]

Finally switched to HTTPS.
Thanks for the valuable comment @philarcher, and all the best for whatever comes next for you.