[OAI-implementers] HTTPS and OAI
Stephen Crawley
crawley at dstc.edu.au
Thu Sep 30 22:32:53 EDT 2004
You wrote:
> However, https is not an 'accepted' transport for OAI-PMH. The
> specification describes only http transport. I wonder if there any good
> reason to encourage harvesters to support https in 'open' applications?
(Note: it is not just 'harvesters' that will use OAI-PMH. The 'sets'
functionality means that it could be used as a primitive category-based
metadata query mechanism.)
Here are some good reasons:
1) To allow private metadata to be interchanged securely. While the
primary motivation of OAI-PMH is for open interchange, there is no good
reason to preclude other uses of the protocol.
2) To allow important (public or private) metadata to be interchanged
reliably. HTTPS assures that no third party is tweaking the metadata
on the wire.
3) To allow the client machines to know that they are talking to the
right server. HTTPS will catch attempts at spoofing; e.g. someone
creating a server that pretends to be your OAI server.
4) To allow OAI servers to know who they are really sending metadata
to. HTTPS with client-side certificates (checked by the server)
allows the server to establish that the client's true identity can
be reliably determined if required. Regular HTTPS can also be
used to make other forms of HTTP-based user authentication safe;
e.g. to secure user account names and passwords in an HTTP Basic
Authentication interchange.
5) To allow ensure privacy of client requests. Even when metadata is
public, it could be important that third parties do not know which
records are being requested by which clients.
Most people would prefer not to think about the kinds of issues that
HTTPS guards against. But that does not make them imaginary.
IMO, it would be useful if the OAI specifications made some sensible
recommendations about the use of HTTPS and the use of standard HTTP
authentication mechanisms ... were appropriate.
-- Steve
+----------------------------------+----------------------------------------
| Stephen Crawley | HotMeta Project Leader
| Level 7, GP South Building (78) | Distributed Systems Technology CRC
| Staff House Road | Tel : +61 7 3365 4310
| The University of Queensland | Fax : +61 7 3365 4311
| Queensland 4072 | Email : crawley at dstc.edu.au
| Australia | WWW : http://www.dstc.edu.au
| | DSTC is the Australian W3C Office
+----------------------------------+----------------------------------------
More information about the OAI-implementers
mailing list