[OAI-implementers] HTTPS and OAI

Stephen Crawley crawley at dstc.edu.au
Thu Sep 30 22:32:53 EDT 2004

You wrote:
> However, https is not an 'accepted' transport for OAI-PMH. The
> specification describes only http transport. I wonder if there any good
> reason to encourage harvesters to support https in 'open' applications?

(Note: it is not just 'harvesters' that will use OAI-PMH.  The 'sets' 
functionality means that it could be used as a primitive category-based
metadata query mechanism.) 

Here are some good reasons:

1)  To allow private metadata to be interchanged securely.  While the 
    primary motivation of OAI-PMH is for open interchange, there is no good
    reason to preclude other uses of the protocol.  

2)  To allow important (public or private) metadata to be interchanged
    reliably.  HTTPS assures that no third party is tweaking the metadata 
    on the wire.

3)  To allow the client machines to know that they are talking to the
    right server.  HTTPS will catch attempts at spoofing; e.g. someone 
    creating a server that pretends to be your OAI server.

4)  To allow OAI servers to know who they are really sending metadata
    to.  HTTPS with client-side certificates (checked by the server)
    allows the server to establish that the client's true identity can
    be reliably determined if required.  Regular HTTPS can also be
    used to make other forms of HTTP-based user authentication safe;
    e.g. to secure user account names and passwords in an HTTP Basic 
    Authentication interchange.

5)  To allow ensure privacy of client requests.  Even when metadata is 
    public, it could be important that third parties do not know which 
    records are being requested by which clients.

Most people would prefer not to think about the kinds of issues that
HTTPS guards against.  But that does not make them imaginary.

IMO, it would be useful if the OAI specifications made some sensible
recommendations about the use of HTTPS and the use of standard HTTP
authentication mechanisms ... were appropriate.

-- Steve

| Stephen Crawley                  | HotMeta Project Leader
| Level 7, GP South Building (78)  | Distributed Systems Technology CRC
| Staff House Road                 | Tel   : +61 7 3365 4310
| The University of Queensland     | Fax   : +61 7 3365 4311
| Queensland 4072                  | Email : crawley at dstc.edu.au
| Australia                        | WWW   : http://www.dstc.edu.au
|                                  | DSTC is the Australian W3C Office

More information about the OAI-implementers mailing list