Re: [core] Tossing around URIs to use outside an application

Klaus Hartke <hartke@projectcool.de> Sat, 22 May 2021 12:45 UTC

Return-Path: <hartke@projectcool.de>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34CF73A23C1 for <core@ietfa.amsl.com>; Sat, 22 May 2021 05:45:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6BnhmOpeIr0 for <core@ietfa.amsl.com>; Sat, 22 May 2021 05:45:13 -0700 (PDT)
Received: from wp382.webpack.hosteurope.de (wp382.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8597::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA1BF3A23BF for <core@ietf.org>; Sat, 22 May 2021 05:45:12 -0700 (PDT)
Received: from mail-pf1-f181.google.com ([209.85.210.181]); authenticated by wp382.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) id 1lkR08-0004UO-Ae; Sat, 22 May 2021 14:45:08 +0200
Received: by mail-pf1-f181.google.com with SMTP id 10so16992143pfl.1 for <core@ietf.org>; Sat, 22 May 2021 05:45:08 -0700 (PDT)
X-Gm-Message-State: AOAM531Kroi2CkKLLFCAqzMp25yzKugsUe2aLcui3iGYO65JziFE7KNz ih3OgBdQiua3s2X87Pi9yP50QEk9NKdRDfLsDp4=
X-Google-Smtp-Source: ABdhPJzc1jImxxAucy0i+PLKHtrk5FSK3tB38qEKRLwcwOPSGrO84Nu65n32SDmyZrUOaio0NDhZYpDJu2XKV7pxvEw=
X-Received: by 2002:aa7:8a85:0:b029:2db:484c:de1a with SMTP id a5-20020aa78a850000b02902db484cde1amr14978548pfc.2.1621687506893; Sat, 22 May 2021 05:45:06 -0700 (PDT)
MIME-Version: 1.0
References: <YKJltpQ9l6k4tseH@hephaistos.amsuess.com>
In-Reply-To: <YKJltpQ9l6k4tseH@hephaistos.amsuess.com>
From: Klaus Hartke <hartke@projectcool.de>
Date: Sat, 22 May 2021 14:44:32 +0200
X-Gmail-Original-Message-ID: <CAAzbHvbtysXRCe+E61BcjSFooVBqXcOYdTuAGr4ha=kYtfPuxg@mail.gmail.com>
Message-ID: <CAAzbHvbtysXRCe+E61BcjSFooVBqXcOYdTuAGr4ha=kYtfPuxg@mail.gmail.com>
To: =?UTF-8?Q?Christian_Ams=C3=BCss?= <christian@amsuess.com>
Cc: "core@ietf.org WG" <core@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-bounce-key: webpack.hosteurope.de; hartke@projectcool.de; 1621687512; f1b5fa11;
X-HE-SMSGID: 1lkR08-0004UO-Ae
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/MtVg1aqDqOkHdnwthmsQ2h4yaLg>
Subject: Re: [core] Tossing around URIs to use outside an application
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 May 2021 12:45:14 -0000

Christian Amsüss wrote:
> A thing that came up in last week's interim is the usability of URIs
> that you are just "tossed", with respect to secure usage.

In addition to secure usage, this came also up with respect to the
vocabularies used e.g. in CoRAL documents. I.e., if we need to pass
more than just a URI, such as security-related information, could we
also pass vocabulary-related information in the same way?

> What I'm leaning towards taking from this is that we should be able to
> support tossable URIs, but what they would look like in practice in a
> CoREnvironment may need looking into.

That might be closely related to the question what a tossable URI in a
CoREnvironment is precisely... When a Web browser is tossed a URI,
it's preconfigured with a set of root certificates and a single
purpose: Make a GET request to that URI and render the resulting HTML
document. In a CoREnvironment, there are probably no root certificates
and no predefined purpose. At a minimum, you probably always toss a
URI together with something like "Your resource directory is at this
URI" or "Please POST your sensor data to this URI". Additionally, you
probably also need to configure some certificate/PSK and the
intents/wills of the stakeholders/principals involved. Maybe some of
that needs to be set directly, maybe some could be discovered through
a layer of indirection. Is there something we could standardize here?

Klaus