IETF Logo Mail Archive

[apps-discuss] Forwarded draft: registration policy

Mark Nottingham <mnot@mnot.net> Fri, 12 October 2012 20:59 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46BB121F87B6; Fri, 12 Oct 2012 13:59:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.109
X-Spam-Level:
X-Spam-Status: No, score=-104.109 tagged_above=-999 required=5 tests=[AWL=-1.510, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gcb33LrjfblD; Fri, 12 Oct 2012 13:59:58 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by ietfa.amsl.com (Postfix) with ESMTP id 9917E21F8779; Fri, 12 Oct 2012 13:59:58 -0700 (PDT)
Received: from [192.168.1.72] (unknown [118.209.87.82]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 1D7A922E255; Fri, 12 Oct 2012 16:59:51 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 13 Oct 2012 07:59:47 +1100
Message-Id: <908A5670-8A38-4702-B801-B31BB756EA97@mnot.net>
To: "iesg@ietf.org IESG" <iesg@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
X-Mailer: Apple Mail (2.1499)
Cc: "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>
Subject: [apps-discuss] Forwarded draft: registration policy
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2012 20:59:59 -0000

Draft -09 changed the registration policy for forwarded parameters:

> The "Forwarded" header field contains parameters for which IANA is to
>    create and maintain a new registry entitled "HTTP Forwarded
>    parameters".  Initial registrations are given below; for future
>    assignments, the registration procedure to be used is IETF review [RFC5226].

<http://www.ietf.org/rfcdiff?url2=draft-ietf-appsawg-http-forwarded-09>

I *think* this change was based upon Stephen's comment:

> Section 9 says only that the expert should ensure that the
> specification "address the security and privacy implications of the
> requested parameter." So if I defined a parameter that passed on the
> precise location of the end-user or the most recent healthcare
> related URL they've accessed then would that be ok? I think
> additional instructions are needed as to the acceptable purposes to
> which such parameters can be put or else perhaps IETF review would
> in fact be better. Given the field of applicability I would not be
> surprised if very privacy-invasive parameters were defined in
> future.


<https://datatracker.ietf.org/doc/draft-ietf-appsawg-http-forwarded/ballot/>

For the record, I question whether IETF Review is necessary for this registry, because it sets it up as a gatekeeper, rather than a registry of deployed parameters. 

I strongly suspect vendors will give in to the temptation to deploy unregistered parameters here, meaning we'll be publishing yet another registry that's both disconnected from reality and failing to serve the purported purpose (protecting security and privacy).

Regards,

--
Mark Nottingham   http://www.mnot.net/

v2.23.0 | Report a Bug | By Email