[OAI-implementers] Should OAI-PMH over HTTPS be permitted?

Tansley, Robert robert.tansley at hp.com
Fri Feb 18 09:04:24 EST 2005

> At least two sites are registered at UIUC with HTTPS data providers:
> <https://kb.osu.edu/dspace-oai/request?verb=Identify>
> <https://tspace.library.utoronto.ca/tspace-oai?verb=Identify>
> both DSpace sites.

My guess is that there is no real intent behind these sites using https
-- if you deploy DSpace using Apache HTTPD + Tomcat (a common setup)
it's easy to just redirect everything to https: including the OAI-PMH
part.  If it's a problem, I'm sure you can contact the administrators of
those sites and they'll fix it.

That said, requiring OAI-PMH to be HTTP-based seems rather pointlessly
limiting to me -- you're instantly excluding any secure use of it.
OAI-PMH has applications outside of academic institutions wishing their
metadata to be as widely indexed as possible.

In terms of harvester tools supporting it, if I'm in a situation where I
need to have OAI-PMH used securely, I don't care -- I don't want just
anyone to be able to harvest my metadata, so I'll put up with needing
harvesters that support HTTPS for my application.

So perhaps we need to distinguish between what it means to be compliant
with OAI-PMH the protocol, and requirements to be part of the network of
academic/scholarly/"open" repositories and metadata sources that wish to
be as widely indexed as possible.

 Robert Tansley / Digital Media Systems Programme / HP Labs

More information about the OAI-implementers mailing list