IETF Logo Mail Archive

RE: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

"Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com> Mon, 10 August 2015 22:54 UTC

Return-Path: <kevin.darcy@fcagroup.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A7401A0217; Mon, 10 Aug 2015 15:54:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Eb2uK7iFBze; Mon, 10 Aug 2015 15:54:38 -0700 (PDT)
Received: from odbmap07.extra.chrysler.com (odbmap07.out.extra.chrysler.com [129.9.107.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26F391A0203; Mon, 10 Aug 2015 15:54:38 -0700 (PDT)
Received: from shbmap09.shdc.chrysler.com (Unknown_Domain [151.171.73.109]) by odbmap07.extra.chrysler.com (Symantec Messaging Gateway) with SMTP id D4.19.17792.CAB29C55; Mon, 10 Aug 2015 18:54:36 -0400 (EDT)
X-AuditID: 81096b23-f796a6d000004580-7c-55c92bacf04c
Received: from MXPA1CHRW.fgremc.it (Unknown_Domain [151.171.20.17]) by shbmap09.shdc.chrysler.com (Symantec Messaging Gateway) with SMTP id 16.BD.13980.CAB29C55; Mon, 10 Aug 2015 18:54:36 -0400 (EDT)
Received: from mxph4chrw.fgremc.it (151.171.20.48) by MXPA1CHRW.fgremc.it (151.171.20.17) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 10 Aug 2015 17:54:36 -0500
Received: from mxph4chrw.fgremc.it (151.171.20.48) by mxph4chrw.fgremc.it (151.171.20.48) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 10 Aug 2015 17:54:35 -0500
Received: from mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701]) by mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701%18]) with mapi id 15.00.1076.000; Mon, 10 Aug 2015 17:54:35 -0500
From: "Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com>
To: Alec Muffett <alecm@fb.com>, Joe Hildebrand <hildjj@cursive.net>
Subject: RE: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Topic: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Index: AQHQvmrwDFqyX6p2K0qSDmKp95csI54BBxoAgAAK5QCAAA/qgIABQ5oAgAOK6gCAABSKgIAACqeAgAAL+ICAABC/gIAAEKMA//+5L+A=
Date: Mon, 10 Aug 2015 22:54:35 +0000
Message-ID: <2dc608607be34a09bc1192e5366323ed@mxph4chrw.fgremc.it>
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com> <D1EA295A.DFA3%edward.lewis@icann.org> <55C4C0DA.8070502@w3.org> <D1EA43FA.DFB8%edward.lewis@icann.org> <554DA9E5-2071-48A2-8AC8-DD07DE3B2BB0@fb.com> <CA+9kkMAcW_g28qAZ8SKbqefZfdDxzdM7=0D_of7f_qLm08d3wA@mail.gmail.com> <CD2ABBDD-F9CA-4A27-A0B6-3CDD37DB1AB4@fb.com> <CA+9kkMAmuXuLpsHVm8PeFQ5V+48mdd06=u=L+gKPqGVQSh-FFg@mail.gmail.com> <8D7DDDFF-BC2E-4A98-ADDB-A72D2C6A796E@fb.com> <EE0CF597-EC22-4853-8020-1F2AFECF73EE@cursive.net> <C0DB3F19-80F2-415C-9968-CD4072C9298A@fb.com>
In-Reply-To: <C0DB3F19-80F2-415C-9968-CD4072C9298A@fb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [151.171.20.223]
Content-Type: multipart/alternative; boundary="_000_2dc608607be34a09bc1192e5366323edmxph4chrwfgremcit_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNKsWRmVeSWpSXmKPExsUyfbVnru4a7ZOhBouuGlrsPX6e1eLum8ss Fm0vmhgtdk3cyWTxbON8Fov1nx4zWkzts7VonGvnwOFxYsIOFo+Jze/YPXbOusvucfjCfRaP JUt+MnlM3jiLxWPj4u+sAexRXDYpqTmZZalF+nYJXBkPP/9kLjhwm7Hi9cy/jA2Mt64ydjFy ckgImEi8vPWVBcIWk7hwbz1bFyMXh5DAJUaJdduPs8MULZ73hg3EFhI4yShxZUEtRNE6RonN bx4xwTlvPr9ihHB2MkpcPH4PrIUNqH3hlbvMXYwcHCICLhJn/9uC1DALXGCUOHF/PStIjbBA vcSTMyvAJokINDBK9PxoZAJJiAiUSbw5+hSsiEVAVeJA9ztmEJtXwEni7otGqG3rWSTOPnoL luAUsJI49ug32HeMQB99P7UGbBCzgLjErSfzmSAeEpBYsuc8M4QtKvHy8T9WCNtAYuvSfdDQ UJK4u3c5G0RvpsTHpfNZIRYLSpyc+YQFEhiqEv1rX7KDHCEhMJ1TYvGs04wTGGVmIdk3C0n/ LCT9s4ChwSygKbF+lz5EiaLElO6H7BC2hkTrnLnsyOILGNlXMUrnpyTlJhYYmOulVpQUJeol ZxRVFuekFukl5+duYgSmpkbObOUdjFPmWh5iFOBgVOLh/Sh3MlSINbGsuDL3EKM0B4uSOO9T ZaCQQHpiSWp2ampBalF8UWlOavEhRiYOTqkGRr+rr10rwycGhzjOFs/yTDV3ZWZ8nrfw5Y/f PL//RSfIzuCb7NI4tbhhydw1ecdcFAVXvVQUvPAv/9qElpcG+jZxNQFrZ867y8p5SH3W8XQl QddI6dlv2+bIvFurtEy8e0/0FnbBOdePnqn4x37+pa7Q/o8vWqfftur7di3bbAqTQ++OP4kP XZVYijMSDbWYi4oTAcQNN6ouAwAA
X-Brightmail-Tracker: H4sIAAAAAAAAA02Ta0gUURiGOTOzu+PixHHdbU+WRFOWGZpdoDHTLIS2H0EFRjeoSUdna12X GRUNKi0q0FBLJVwyLbWi22JRudLFjEwl0W6WylZeU9ssEzKJtJmdvPx7z3nf7/nOdziHxHW1 aj/SbE3mBCtrodVa4vwNvU/wzWUNMaEV5Ubm0YtmFeNyvyGYU/3HAVN91okxfZUlBOP42Q2Y wpwIJrM4Moo01edVEaazJ4Y0JqfdpTE9a/lEmMrLxzBTfqWdMFWWjaq2anZr18VxFnMqJyyP 3K/lO0fGcFtNB0j7WvQXZID2dyALeJEIrkZlF91qRc9GLR8dHq2DDQC9LT2SBbSSvg3QXXcX NrVwjwwCZeEE6NWLj54StYS69NaFZwGS1MNo1DQRIWdw2AJQ/SeHSs74wmOo5+U1D0kPMwA6 8zsTkw09TEXu572eEAEDUE32EC5rCm5Erv7M/90cBGrq+uYxvOBaVNf1xzMEkA4+2njTA8Kh EbX3lGDKQBCVP2zGFW1AA93jKkWHonsVjwlF08j16KpaqTWj4YoSldLYBzUU9RDKZQSg3FsD mjwwxz6jhX1GiX1GiV26ABwuRY7q5UpkASrI7tQoOhCdvFCsmblfCjTXgZ/IH0hkbaFhISIf FxsSywvpooUTQmKTEu8AzzPZbKkCE5fCagEkAe1NGeY3xOhUbKqYnlgL5pAYbaD2zpO2Zh1I ikvnWZHfJ6RYOLEWIBKn9dTCgfoYHRXHph/mhKRJay5J0EZqkS1qmw4msMncIY6zccKkO48k aUT5B0lQH4FL4NLizZbkaRsjvWS4twSn5Qwl2thE0Zyg+I0ggGwt+3AL0xHWJCvnZ6SgHIJy iE+xTnEGgVEax5cKlF1v6WNMEQYlOCbBI7fJJxeT2WnLLwM4vMPH9R3v/VcV8dv940diTn/Z cL3i3NiPz4bgg9Wu3v41O8PrFj/1WZmfcqF7zd6swIKoJ2/eH7KNLmjbA6/QNUHRVQ8ODncf 1ep2iM772JKOtBu/Nh3nGMPrnUP66vPZW4J3XaTX+3p1hNtb69ouf6fMD1NLnIV7lvUVbwU5 u3MRTYg8uyIIF0T2H9MKdxjVAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/KC3mi5ph-en-2atAUgm-vNbA9tI>
X-Mailman-Approved-At: Tue, 11 Aug 2015 08:06:28 -0700
Cc: Edward Lewis <edward.lewis@icann.org>, Ted Hardie <ted.ietf@gmail.com>, "ietf@ietf.org" <ietf@ietf.org>, Richard Barnes <rlb@ipv.sx>, "dnsop@ietf.org" <dnsop@ietf.org>, Mark Nottingham <mnot@mnot.net>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2015 22:54:41 -0000

In retrospect, the definition of the “http” and “https” schemes (i.e. RFC 7230) should have probably enumerated clearly which name registries were acceptable for those schemes, so that the following language from RFC 7320 (a BCP) could be invoked against any attempt by an app – Onion or anyone else -- to inject their own unique brand of “specialness” into the interpretation of the Authority component of their URIs:

Scheme definitions define the presence, format and semantics of an
authority component in URIs; all other specifications MUST NOT
constrain, or define the structure or the semantics for URI
authorities, unless they update the scheme registration itself.

7230 casually mentions DNS and “network host table” as name registries that can potentially be used for “http” and/or “https”, but never implies that those 2 constitute the only members of the set.

If both injecting “specialness” into the URI, and updating the “https” scheme itself, were viewed as unavailable or unappealing options, then Onion – and anyone else who follows the same path – would be left with no other choice but to define their own scheme.

                                                                                                                                                                - Kevin

From: DNSOP [mailto:dnsop-bounces@ietf.org] On Behalf Of Alec Muffett
Sent: Monday, August 10, 2015 5:25 PM
To: Joe Hildebrand
Cc: Edward Lewis; Ted Hardie; ietf@ietf.org; Richard Barnes; dnsop@ietf.org; Mark Nottingham
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard


On Aug 10, 2015, at 1:25 PM, Joe Hildebrand <hildjj@cursive.net<mailto:hildjj@cursive.net>> wrote:

If the smiley means "they're already deployed, so we don't get to talk about whether they're appropriate", then fine, but that's why a bunch of people are complaining about the precedent this sets. If the smiley means "this is a good protocol design that other people should follow", then I'm not sure we have consensus on that.

I apologise that my personal opinion and cheery demeanour appears to be extrapolatable into a couple of contrasting strategic positional statements.

To put my personal opinion at greater and more clear length:

In the context of URI schemes, accessing a Tor onion site (currently) over HTTP or HTTPS is precisely *that* - a fetch of HTML or other content which a HTTP or HTTPS request might typically be used to access - without the client software needing to be adapted for Tor access at "Layer 7".

Such a fetch is functionally just a vanilla HTTP/S over an “alternate" transport, the latter generally enabled by a SOCKS proxy or a content-aware VPN.

Such fetches currently work, have done so for several years, and have been used by many, many thousands of users, possibly millions.

Similarly, ssh://user@someonionaddress.onion is equally an extant and functional SSH request to someonionaddress.onion

Equally git://someonionaddress.onion/user/project-name.git would not immediately strike me as needing to be forcibly changed to “onion-git://“<onion-git://%E2%80%9C> simply because Git is invoked over an "alternate” transport with a “alternate” name resolution. It currently works, so why break it?

From this observation, my personal opinion of “the proper scheme for an HTTP/S fetch to an Onion address" is something of a duck-test:

TEST: if a fetch looks like HTTP/S and quacks like HTTP/S, then I think that it should likely be given a HTTP/S scheme.

Conversely: it’s arguable that schemes like “daap” or “rtsp” are also “HTTP-based”, and that *they* have special schemes, so perhaps fetches from Onion-addresses should “have special schemes” too?

I can sympathise with this argument.  It makes logical sense.

I personally differentiate and resolve this argument in terms of intent, and in terms of client and server-software.

“rtsp://” for instance is used for streaming, and requires magic, RTSP-specific headers, and the frontend is something like VLC or iTunes, and the backend requires a special streaming stack.

To me, this smells of specialism.

Equally: if iTunes incorporates a webview and fetches a bunch of web-content for human consumption, it likely uses a HTTP/S scheme to do so, rather than a specialist “ituneshttps://“ scheme.

This smells of specialist software trying to be a "general-purpose browser".

So, given these conditions:

- if the intent is largely to provide HTML+CSS content to human beings,
- if the client software is most likely a well-known browser (tor browser = firefox) operating in its normal mode
- …but not necessarily or exclusively a browser…
- and if the server software is something like Apache + {Wordpress, Drupal, a bunch of static HTML}

…then under these conditions, again, I apply the duck test. I feel that such fetches are HTTP/S and should have that scheme.

Hence why I feel that the extant, vanilla HTTP/S schemes are most appropriate for fetching browser content from onion addresses.

The other matters, regarding domain name resolution and generic URI syntax, I have already covered at some length.

   - a

*aside: using VLC to RTSP to an Onion address will work just fine when SOCKS (etc) is configured… etc...

—
Alec Muffett
Security Infrastructure
Facebook Engineering
London

v2.23.0 | Report a Bug | By Email