[OAI-implementers] Should OAI-PMH over HTTPS be permitted?

Simeon Warner simeon at cs.cornell.edu
Wed Feb 16 11:40:54 EST 2005

There has been some interest recently in using OAI-PMH over HTTPS [1]. The
OAI-PMH specification [2] mentions only operation over HTTP, so I think
that at present HTTP must be used to conform to the specification (and
this is enforced by the validation/registration site). The specification
should be explicit about whether the use of HTTPS is conforming or not.

It would be trivial to extend the specification to permit the use of HTTPS
as it is just standard HTTP operating over an additional security layer.
There would be no need to change the semantics or syntax beyond the
substitution of 'https://' for 'http://'. Permitting HTTPS would have no
implications for data-providers unless they wished to use the protocol.
The main implication of permitting HTTPS would be that harvesters would
have to support HTTPS in addition to HTTP (or else be unable to harvest
from some data-providers). In many programming environments there are
libraries that provide seamless support for both HTTPS and HTTP (e.g. in
Perl, HTTPS comes for free in LWP) but this may not be true in all cases.

Who is using or would like to use HTTPS?

Which harvesters already support HTTPS or could easily do so?

Which harvesters could not easily support HTTPS?


[1] http://www.isi.edu/in-notes/rfc2818.txt
[2] http://www.openarchives.org/OAI/2.0/openarchivesprotocol.htm#HTTPembedding

Simeon Warner                 Email: simeon at cs.cornell.edu
Cornell Information Science              Tel: 607-254-8605
301 College Ave                          Fax: 607-255-5196
Ithaca, NY 14850-4623, USA

More information about the OAI-implementers mailing list