[OAI-implementers] Should OAI-PMH over HTTPS be permitted?

Simeon Warner simeon at cs.cornell.edu
Thu Feb 17 11:21:31 EST 2005 

I don't think this is an issue Patrick. Even if HTTPS is permitted for
OAI-PMH, the SR spec still only talks about HTTP for the Static Repository
URL [1] (the XML files). I think it should stay that way; the SR spec is,
after all, supposed to be the lowest barrier possible. The SRG would, in
principle, be able to use HTTP or HTTPS for its Static Repository Gateway
URL [2] although at present that is defined to be a HTTP URL.

I really think that the issue is just about harvesters which, in effect,
would _have_ to support HTTPS if it were permitted for baseURLs. Note that
that this isn't something where both are likely to be supported like GET
and POST. If a repo uses HTTPS and a harvester doesn't support it, then
that repo will be unharvestable by that harvester.

Cheers,
Simeon


[1] http://www.openarchives.org/OAI/test/guidelines-static-repository.htm#SR_URL
[2] http://www.openarchives.org/OAI/test/guidelines-static-repository.htm#SRG_URL


On Thu, 17 Feb 2005, Patrick Hochstenbach wrote:
> A related issue: if Static Repository Files would also be accessible via
> HTTPS, then constructing a OAI-PMH Gateway would be problematic because
> gateways URL's don't contain the scheme of the original file location.
> E.g.
>
>                                    ,-HTTP-OR-HTTPS-?-.
> http://www.gateway.org/somescript/www.university.edu/sr_file.xml?verb=Identify
>
> I don't know if other types of gateways have the same problems.
>
> Patrick Hochstenbach
>
> On Thu, 17 Feb 2005, Thomas G. Habing wrote:
>
> > Hussein Suleman wrote:
> >>  > Which harvesters could not easily support HTTPS?
> >>
> >> mine :) anything i distribute is meant to be as "dependency-free" as
> >> possible. historically, LWP has not been the easiest module to get working
> >> on a variety of architectures, so i don't use it.
> >>
> >> if we require every harvester to support HTTPS, this will become the first
> >> feature that programmers will need to support through external code
> >> libraries. as such we will raise the "low barrier to entry" substantially.
> >>
> >> i agree we should explicitly support HTTPS, but not require it.
> >
> > Because of the underlying APIs that we use (WinHTTP and MSXML), the harvester
> > that we use at UIUC supports HTTPS.  I agree with Hussein that harvesters
> > should be explicitly encouraged to support HTTPS, but it should not be a
> > requirement of the protocol.
> >
> > Maybe some advice on this topic could be added to the "Implementation
> > Guidelines" documents.
> >
> > Kind regards,
> > 	Tom Habing
> >
> >>
> >> ttfn,
> >> ----hussein
> >>
> >>
> >> Simeon Warner wrote:
> >>
> >>> There has been some interest recently in using OAI-PMH over HTTPS [1]. The
> >>> OAI-PMH specification [2] mentions only operation over HTTP, so I think
> >>> that at present HTTP must be used to conform to the specification (and
> >>> this is enforced by the validation/registration site). The specification
> >>> should be explicit about whether the use of HTTPS is conforming or not.
> >>>
> >>> It would be trivial to extend the specification to permit the use of HTTPS
> >>> as it is just standard HTTP operating over an additional security layer.
> >>> There would be no need to change the semantics or syntax beyond the
> >>> substitution of 'https://' for 'http://'. Permitting HTTPS would have no
> >>> implications for data-providers unless they wished to use the protocol.
> >>> The main implication of permitting HTTPS would be that harvesters would
> >>> have to support HTTPS in addition to HTTP (or else be unable to harvest
> >>> from some data-providers). In many programming environments there are
> >>> libraries that provide seamless support for both HTTPS and HTTP (e.g. in
> >>> Perl, HTTPS comes for free in LWP) but this may not be true in all cases.
> >>>
> >>> Who is using or would like to use HTTPS?
> >>>
> >>> Which harvesters already support HTTPS or could easily do so?
> >>>
> >>> Which harvesters could not easily support HTTPS?
> >>>
> >>> Cheers,
> >>> Simeon
> >>>
> >>>
> >>> [1] http://www.isi.edu/in-notes/rfc2818.txt
> >>> [2]
> >>> http://www.openarchives.org/OAI/2.0/openarchivesprotocol.htm#HTTPembedding
> >>>
> >>> ----------------------------------------------------------
> >>> Simeon Warner                 Email: simeon at cs.cornell.edu
> >>> Cornell Information Science              Tel: 607-254-8605
> >>> 301 College Ave                          Fax: 607-255-5196
> >>> Ithaca, NY 14850-4623, USA
> >>>
> >>>
> >>> _______________________________________________
> >>> OAI-implementers mailing list
> >>> List information, archives, preferences and to unsubscribe:
> >>> http://www.openarchives.org/mailman/listinfo/oai-implementers
> >>>
> >>
> >
> >
>
> _______________________________________________
> OAI-implementers mailing list
> List information, archives, preferences and to unsubscribe:
> http://www.openarchives.org/mailman/listinfo/oai-implementers
>

More information about the OAI-implementers mailing list