PP3: The Architecting of Identifier Expansion
Lisa Dusseault <lisa@osafoundation.org> Mon, 07 January 2008 22:29 UTC
Return-path: <discuss-bounces@apps.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JC0T8-0000Fa-0M; Mon, 07 Jan 2008 17:29:18 -0500
Received: from discuss by megatron.ietf.org with local (Exim 4.43) id 1JC0T6-0000FQ-3O for discuss-confirm+ok@megatron.ietf.org; Mon, 07 Jan 2008 17:29:16 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JC0T5-0000FI-Pg for discuss@apps.ietf.org; Mon, 07 Jan 2008 17:29:15 -0500
Received: from laweleka.osafoundation.org ([204.152.186.98]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JC0T4-00024t-Qj for discuss@apps.ietf.org; Mon, 07 Jan 2008 17:29:15 -0500
Received: from localhost (laweleka.osafoundation.org [127.0.0.1]) by laweleka.osafoundation.org (Postfix) with ESMTP id DFFE4142207 for <discuss@apps.ietf.org>; Mon, 7 Jan 2008 14:29:16 -0800 (PST)
X-Virus-Scanned: by amavisd-new and clamav at osafoundation.org
Received: from laweleka.osafoundation.org ([127.0.0.1]) by localhost (laweleka.osafoundation.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gMSKyVF-F7k3 for <discuss@apps.ietf.org>; Mon, 7 Jan 2008 14:29:12 -0800 (PST)
Received: from [192.168.1.101] (unknown [74.95.2.169]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by laweleka.osafoundation.org (Postfix) with ESMTP id 2722714229B for <discuss@apps.ietf.org>; Mon, 7 Jan 2008 14:29:12 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Transfer-Encoding: 7bit
Message-Id: <1816D113-D902-42CC-B291-80DE72E22018@osafoundation.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
To: Apps Discuss <discuss@apps.ietf.org>
From: Lisa Dusseault <lisa@osafoundation.org>
Subject: PP3: The Architecting of Identifier Expansion
Date: Mon, 07 Jan 2008 14:29:08 -0800
X-Mailer: Apple Mail (2.752.3)
X-Spam-Score: -4.0 (----)
X-Scan-Signature: bf422c85703d3d847fb014987125ac48
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols <discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org
PP3 ============================================================ The Architecting of Identifier Expansion February 2008 APPS Area Architecture Workshop ============================================================ This text: December 2007 Leslie Daigle. ---------------------------------------- Introduction ---------------------------------------- I'd like to take this opportunity to explore one particular aspect of applications infrastructure architecture. Namely, I'd like to offer some commentary on, and foster discussion about, the general approach to expanding Internet application/ identifiers to accommodate new uses. ---------------------------------------- First reality: Deploying new infrastructure is hard ---------------------------------------- Stepping back from the specifics of technology for a moment, there is a larger question of what to standardize and/or specify in order to facilitate and promote applications that work in the global Internet. That is, rather than standardizing specific piece protocols, are there well understood principles for what is deployable/not? Do we know what "application infrastructure" is? A decade ago, the focus was on developing a directory service (or services) and a stack of Internet identifiers -- uniform names that lead to uniform locators that relied (often) on the DNS for final resolution. Global directories didn't pan out -- at least in part because the need for globally interoperable access to (potentially) sensitive data was not clear. And the struggle over control of the one successfully-deployed lookup infrastructure (DNS) was fostering concerns over the notion of a centrally "controled" infrastructure in a globally-dispersed network. We're still working through the ramifications of that today, as national governments express concerns that their country's commercial reality is in some way dependent on the US government's continued willingness to support their DNS country code in the DNS root. (It's a tortuous argument, but that really is the line of logic). We can see the spillover of this problem when the French agitate to set up a separate ONS root (for RFID-based supply chain management infrastructure), on the argument that they need/want their own control. (The formally sanctioned root of the ONS global tree is operated under contract by a US-based company. There is no formal relation to the USG the way there is for the DNS root, but the argument is that any company is subject to its (home) nation's government). That is, whether or not we manage to keep a single root in the DNS, the DNS-based global argument is spilling into a general philosophy of "nationally-controlled infrastructure". So, what does all this higher-layer politicking mean for applications infrastructure architecture for the Internet? An obvious and already well-understood conclusion is that services must have distributed control (peer to peer, etc). However, it is also worth recognizing that we are not about to dismantle or stop using existing infrastructure services. We're going to keep piling on top of them, because it is very hard to get ubiquitous deployment of new, cooperatively managed, infrastructure services. this is as true for DNS as for routing and addressing. ---------------------------------------- Second reality: Stretching existing infrastructure is painful ---------------------------------------- If deploying new infrastructure is hard, the next thing to try is extending existing protocols, protocol elements, and infrastructures. There are at least 3 different types of challenge in doing this well: 1/ the obvious challenge of compatibility within the protocol(s) being extended; 2/ the equally obvious challenge of ensuring continued compatibility on the wire if there is interplay between servers/clients of different generations; and 3/ the somewhat less obvious issue of expectations and dependencies that may have been built by unrelated protocols and services. For example, when Internationalized domain names were discussed, the primary focus was on the first two challenges. The implications of the 3rd are still being explored: should protocols that carry "domain names" now allow "internationalized domain names"? The answer should be a clear "no", from a protocol perspective: IDNs are strings of unicode characters. *IDNA* representations are valid domain names. However, this consideration gets a little trickier from a human usage point of view. A slightly more subtle version of the question is: what label goes into the distinguished name of an X.509 certificate domain component? These are not resolved in the DNS, so they could be IDNs, right? If the use of the domain component is to show the end user a domain and ask them to confirm it is the domain they intended to access, the IDNA representation is not likely to be useful. However, it's probably equally difficult for a machine to compute a comparison between two IDNs, particularly once one factors in the various equivalence tables supported by different top level domains. ---------------------------------------- Building Archaeologically: New layers on top of old ones ---------------------------------------- Maybe we can think of applications infrastructure in the light of layering on top of existing systems in as clean a fashion as possible. Applications infrastructure itself should evolve as applicatons' needs do: but deploying completely new infrastructure is always a challenge, and simply dumping more stuff into the existing one is not a winning solution for technical and operational reasons. If we want to layer, then we have to have well understood: . semantics at each layer . translation between layers This is more or less the general theory behind the basic Internet identifiers in the Internet protocol stack -- and there's an expired IAB Internet-Draft by Geoff Huston and others that provides a taxonomy of the characteristics that define identifiers at a given layer, as well as eventual dependencies between the layers (draft-iab-identities, expired). Do we need to take that to another level and formalize the notion of the "presentation layer", allow the human-facing identifiers to be more human, without perturbing the functioning of machine processing of protocols? And, does this separation more than just a difference of size of character set, and have more to do with a difference of representation? John Klensin proposed that approach in defining a "layer above the DNS (draft-klensin-dns-search, expired); Michael Mealling and I worked on framing a protocol that would support just such a separation (draft-mealling-sls, expired). From the fact that I'm referring to a bunch of (long since) expired Internet-Drafts, it should be clear that this approach has not been brought to completion. We got to the point of development where it was perfectly clear that the technology was not the challenge: we could provide a sound protocol/infrastructure proposal to support the layer above the DNS approach to separating "identifying things that are maybe network accessible" from "identifying network things". Instead, the challenge was the apparent lack of will or interest in deployment. ---------------------------------------- Questions for further exploration ---------------------------------------- The need to extend and expand Internet identifiers, particularly with respect to supporting an internationalized Internet experience, is not going to go away. And we know that deploying new systems is (impossibly hard) and extending existing systems is (unexpectedly) painful. 1/ Do we just keep muddling with extensions, putting out fires where they appear, or can we take some architectural step back and get ahead of the development curve? 2/ Is layering an answer? Can start this discussion from the perspective of looking at what does/not work with the layer above DNS approach.
- PP3: The Architecting of Identifier Expansion Lisa Dusseault