IETF Logo Mail Archive

Re: [Gen-art] /.well-known placed below the URI local-part root

Mark Nottingham <mnot@mnot.net> Thu, 30 April 2020 23:32 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F9AC3A1641 for <gen-art@ietfa.amsl.com>; Thu, 30 Apr 2020 16:32:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=YJNYa42E; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=IWmbcQHd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Laaa9IGAcidV for <gen-art@ietfa.amsl.com>; Thu, 30 Apr 2020 16:32:36 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEFB83A0990 for <gen-art@ietf.org>; Thu, 30 Apr 2020 16:32:34 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 2A1E6770; Thu, 30 Apr 2020 19:32:34 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 30 Apr 2020 19:32:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=c krSNJBvSMtWSdqQ3g88JHS3IA1/jcros5WHoiuo+GQ=; b=YJNYa42EfltIIJ+a8 YDs8zQ2/qncLtIVauOgDyQRtjB/H5zD2NNVqCgAFM+Rlg4W1zfF4tcBVwJciJ3xE wDNsbLf2M+XD29I00WyVP+JgY2nGHCCb6sxiVEQPETVFUg7YVvnt5VGwzejIAi58 37lR2Cd6AIG6lDdo9tmYHAMs/3jXcWZ4auCqgXTO5hWPh8pA1brEjAxamcfIfhgf 2w1ONY1vmgtPwjaiG/WAKuIR7jTR49VgoYXm3v/oGXEsq0xGFn7Bdh8FIyr6ovJd VnjZm4XBDcbhxCnskwMCQ5tFQsOEp7SsGY4Qj4+/IbtmIZKUx8atkzY/bmTVZkzD Z6Aqw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=ckrSNJBvSMtWSdqQ3g88JHS3IA1/jcros5WHoiuo+ GQ=; b=IWmbcQHdkF+Ix9hMZLNEE3cKCIaqDPxbJ0nZoxvqTw47IElqzThxDOdPF rNaUwH5nCyTN69YvCWOrbcwNtfRxX3TpTOF47fUwkt2gwklUWxU+KFeRmb5z5q7Q aCFXcMAoJ3F7LmZvvvi6BJHNqsjcgoefozcV+V2tF63nMaN3/JZ7T23S1SU+UYGC H0gLYlQRwyFO0NWlV+irRgWW2T5Kl8vz0r/nruccgzVusreRfOkoMBGnLHVxOZP7 F1fZho2+6W881sSyiwFedBV7i7ON4VoNuUu5dQZ1UafRjwnG4Pype+GfaCfvllsG 4BlFyq5ts5inO1NTl2PtfFkpb00Jg==
X-ME-Sender: <xms:D2CrXvcZtpgOEXXaf1H3goI3CXhW2GnKJ3g0vukajik-toavqRB3Cg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrieeigddvvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcu pfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvg hrnhepueehgfffueekhedugfekgfffkeeviefhleevueehgfeufefhgeektedtueevhfeg necuffhomhgrihhnpehgihhthhhusgdrtghomhdpohhpvghnihgurdhnvghtpdhmnhhoth drnhgvthenucfkphepudduledrudejrdduheekrddvhedunecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:D2CrXjJUeJcipDpGsqmB6hKX7x4vebln_Gq-JiRNIIBo-9IAfCHlJQ> <xmx:D2CrXvQCIW62cwkjZ8qrnGGBvZvAm25gOulHox8M7Ldr0rlLFuj46g> <xmx:D2CrXkTdP6JwN9zAN9lYAkgKYbKd8MQ4llIz1JA22d3L5zf1XyzHCw> <xmx:EWCrXt91BkkQg-5UsiNARaGuTYrk8_Cqk4XmoevHCpxSI3T2dERy_Q>
Received: from macbook-air.mnot.net (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id 7FEA83065F47; Thu, 30 Apr 2020 19:32:30 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20200430194204.GE18021@localhost>
Date: Fri, 01 May 2020 09:32:27 +1000
Cc: gen-art@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <48CA6847-A820-4028-9E6E-766FF39A85B1@mnot.net>
References: <20200430194204.GE18021@localhost>
To: Nico Williams <nico@cryptonector.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/bUVbgQtyqveKKao0j1bD3hpbi2U>
Subject: Re: [Gen-art] /.well-known placed below the URI local-part root
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 23:32:46 -0000

Hi Nico.

(a) (b) Appendix A already talks about it some:

"""
   Why aren't per-directory well-known locations defined?
      Allowing every URI path segment to have a well-known location
      (e.g., "/images/.well-known/") would increase the risks of
      colliding with a preexisting URI on a site, and generally these
      solutions are found not to scale well because they're too
      "chatty".
"""

We could say more in the spec proper, I suppose.

(c) seems like a good pattern to recommend for people who really want to scratch this itch -- although I suspect some will complain that it's hard to maintain the linkages (it's not really, they just need a competent sysadmin).

(d) is not something I'm keen to do. Just because people have done it shouldn't mean that we should give that practice any formal air cover.

(e) The current approach we take is that every registration is effectively its own name space; it can do what it likes with substructure (including establishing another registry). That gives a lot of freedom, but it's caused some confusion (e.g., most recently with EST and extensions to it), so some indication of what policy is in use would be interesting -- either in the spec, or the registry itself. It may be too early or this, but I could see a list of common management mechanisms being created for easy reuse.

Question: do you see any of these issues as urgent? .well-known got revised relatively recently, so I'd like to collect some more feedback/issues before reopening the box, ideally. If they're not urgent, would it be OK to just log them as open issues (I use <https://github.com/mnot/I-D/labels/well-known>)?

Cheers,


> On 1 May 2020, at 5:42 am, Nico Williams <nico@cryptonector.com> wrote:
> 
> RFC 8615 (and RFC 5785 before it) says that .well-known should be at the
> root of the URI local-part.  Appendix A explains the rationale.
> 
> However, I'm seeing multi-tenancy in OpenID, with URI local-parts of the
> form /${tenant}/.well-known/openid-configuration, which is not the
> intended usage.  /.well-known/openid-configuration/${tenant} would have
> been better, given what the RFC says.
> 
> I suspect this happened because the registration for the
> openid-configuration well-known URI [0] did not cover this use case.
> 
> Not sure that anything can or should be done about this, but it might be
> worth reporting it here, thus this post.
> 
> If I had to propose anything at all to do about this, it might be to
> update RFC 8615 to a) describe the use case, b) describe what has been
> done, c) recommend or require /.well-known/thing/thang over
> /thing/.well-known/thang, d) possibly grandfather some existing uses of
> /thing/.well-known/thang, e) maybe update the registry to require that
> registrants indicate whether they intend to have further structure below
> their well-known URIs.
> 
> Nico
> 
> [0] https://openid.net/specs/openid-connect-discovery-1_0.html

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email